Ransomware attacks — a type of digital crime in which the hacker locks up a business’s systems and demands a ransom payment to restore access — are on the rise. Attacks on large corporations like Colonial Pipeline, Kaseya and JBS Meat Company have dominated recent headlines, but small and mid-sized businesses are also being targeted.

This article outlines the risks businesses face and some specific controls you can implement to create more robust defenses against ransomware and other cyberattacks.

The Cost of Cyberattacks

Cybercrime is a huge and profitable enterprise, and most hackers have a purely financial motivation. According to the Ponemon Institute’s 2021 Cost of a Data Breach Report, the average total cost of a data breach is now $4.24 million, with ransomware attacks averaging an even more painful $4.62 million.

Victims of ransomware often don’t regain access to their files after paying the ransom, and businesses that refuse to pay end up spending millions of dollars to rebuild their data. (To reduce the flood of business-disrupting cyberattacks, the federal Cybersecurity and Infrastructure Security Agency recently appointed a new director, Jen Easterly, to lead efforts to fight cybercrime. Easterly has extensive corporate and military experience in intelligence and cyber operations.)

Even a minor breach can carry a hefty price tag. According to Ponemon, the average cost per lost or stolen record was $161 across all data breaches. Some hourly expenses, such as legal fees, accrue regardless of the number of records that are affected. A breach can also damage your organization’s reputation and value.

Crimes of Opportunity

In most cases, breaches are crimes of opportunity, rather than targeted attacks on a specific company. The weak link in the security chain is usually a person. The 2021 Verizon Data Breach Investigations Report found that 85% of breaches involved a human element.

The most prevalent form of attack is phishing schemes, which infect a system with malware or ransomware when the user unwittingly opens a malicious attachment or clicks a link in a legitimate-looking email. Malware is used to steal data and then sell it on the black market, where each stolen record may bring anywhere from a few cents to hundreds of dollars, depending on what it contains and how the buyer can use it.

As the volume of available data continues to multiply and data becomes increasingly connected, the threat will only keep growing. On top of that, larger remote workforces have made businesses more susceptible to attacks, increasing both the cost of a breach and the time needed to identify and contain it.

The good news? There is a lot you can do to safeguard your data, without making large expenditures on technology.

Protect Your Business by Implementing Simple Controls

You can greatly mitigate your risk, often within weeks, by implementing these basic cybersecurity steps:

1. Assess your risks. These include vulnerabilities related to your industry, your people, your technology and your business partners. Vendor/supplier security is critical, so in addition to assessing your internal risks, you need to determine what data these outside parties can access, and what their controls and safeguards are.
2. Classify your data. You need to know how sensitive various information is, so that you can prioritize your security efforts and apply your resources where they are needed most. Protecting your data also requires that you understand how it is flowing through your organization. For example, are you using the cloud to send proprietary information to a manufacturer?
3. Implement controls. These are simply the processes that you put in place to mitigate risks. For example, you can implement multifactor authentication (MFA/DFA), email filters, hold data security training for your workforce, encrypt your laptops and require your vendors to have service organization control (SOC) audits.
4. Verify the controls. Once your processes are in place, run periodic tests on select controls, to validate that they are working as intended.
5. Create a breach preparedness plan, and test it. Treat cyber incidents the same way you do disaster recovery or business continuity. Have a plan for how you will evaluate the damage, and how you will communicate and manage it internally and externally. Then test and refine your plan, by regularly sitting down with key personnel to run through your response to various hypothetical scenarios.
6. Keep machines’ patches up to date. Preventive maintenance is essential for a secure and safe environment against malware. Stable machines will also reduce the overall operation cost in the long run.
7. Make regular backups. Maintain at least one copy offline and encrypt your files. Remote environments may take longer to be reached but are less vulnerable. Be sure to regularly test your backups.
8. Consider cyber insurance. You may want to use insurance instruments to transfer your risk to a third party. (If your organization has a cybersecurity program, and you are knowledgeable about your risks, you’ll also be a stronger candidate when you apply for an insurance policy.)

Reassess Annually and Involve Your Board

As your business changes, your risks change, so you should reassess your situation annually. If you have an existing enterprise risk management (ERM) program, you can leverage it and fold in your cybersecurity processes.

Ongoing board involvement and oversight is also important to your cybersecurity efforts. Evaluate your board composition and update it, if necessary, to add someone with data security expertise, and redefine your board committees to include cybersecurity responsibilities. You also need to establish proper governance and board oversight of your cybersecurity processes and strategy.

Ransomware and other cyberattacks can be detrimental to your company’s reputation, customers and overall bottom line. The consequences are usually severe, and there is no guarantee that your business will get its data back after the sum is paid.

Although there is no way to completely prevent a breach, a strong cybersecurity program can help you mitigate your risks and be better prepared to respond to an attack. As the old saying goes, an ounce of prevention is worth a pound of cure.

Contact our cybersecurity team to learn more about strengthening your defenses against cyberattacks or to take the first step with a cybersecurity evaluation.