There is a lot of scare mongering when it comes to cyber security and threats such as ransomware, and because of that it’s very easy to turn around and say ‘it won’t happen to us’ because it’s been exaggerated too far. We hear a lot of small businesses say that they won’t be a target for cybercrime because no one has heard of them, they’re too small or they haven’t got enough finances to be of interest. We want to explain why this isn’t the case and why small businesses need to be aware of threats like ransomware and how they can impact their operations.
Small businesses are not a target for cybercrime
There are many assumptions when it comes to cyber security and the one we hear the most is that small businesses are not targets for cybercrime. We know this isn’t true because we have seen it. We have received phishing emails ourselves trying to extort money. The thing to understand when it comes to the criminals that are sending things like malicious emails is that they have not necessarily decided today that they are going to try and get you specifically. They send out thousands of emails a day in the hope that one person will be unlucky and be fooled.
When you think about it, if you sent 10,000 emails out with ransomware hidden in a malicious link or attachment and one person clicks on it and downloads it on to their device then you could have hit the jackpot. If that person pays the $300 ransom to get their data back then you have just made $300 with a click of a button.
A lot of small businesses don’t think things like ransomware will affect them because they’re not household names. A lot of the time this is precisely why they are on a target list. Small businesses will often not have the resource to deal with an attack. They will just pay the ransom to be able to get their data back. We urge you that if you are ever in that situation to not pay the money. Make sure that have a good back up in place and try and restore your data, if you pay the ransom there is no guarantee that you will get the data back and you will be put on a list of people willing to pay up. You will be attacked again.
Ransomware is a data breach under GDPR
Ransomware is not just a problem because you can’t access your data. It’s a problem because someone else has got access to your data and therefore your data has been breached. Under the General Data Protection Regulation (GDPR) that is coming into place 25th May 2018 you are obligated to report a data breach to the Information Commissioner’s Office within 72 hours of discovery. For suffering a data breach, you can be fined up to €20 million or 4% of your annual global turnover, whichever is greater. If you don’t report the breach you can face further fines of up to €10 million or 2% of your annual global turnover.
We think it’s important to note here that the statement is ‘up to.’ A lot of small businesses see these massive numbers and think that they will not affect them. The figures are for the likes of Google and Facebook. The penalties will obviously be reduced for small businesses, if you have a £1 million turnover then you can be fined up to £40,000 if you don’t bother taking the precautions to protect your business. We recently came across the statement: ‘Perfect security is impossible, failing to try is unacceptable.’ If a small business does not make attempts at security then they are putting their business at financial risk due to the GDPR fines.
What to do in a ransomware attack
As we said previously, we highly recommend that you do not pay a ransom to retrieve your data. The best thing to do in a ransomware attack is to disconnect from your network immediately to reduce the likelihood of it spreading to other devices. We recommend that you have a good back up and disaster recovery plan in place so that you can retrieve a back up rather than dealing with the ransomware. You should also take preventative measures to try and avoid an attack in the first place. We suggest that you have our essential recommendations for cyber security in place as well as making sure staff know what to look out for. You can find more information in our Ransomware Playbook.
Make sure that you don’t ignore cyber security as a small business. While there may be some associated costs, in the long run they could save you a lot of time and money.
We would love to hear your thoughts and ideas on how ransomware affects small businesses. If you would like to know more, say hello today and call 01675 469020 or email firstname.lastname@example.org