May 2 marks the start of National Small Business Week, a week that recognizes “the critical contributions of America’s entrepreneurs and small business owners”, and promises to “celebrate the resiliency and tenacity of America’s entrepreneurs.”
That sounds good to us: Small business are a vital economic engine, accounting for more than 99% of all businesses in the USA, and employing about half the US workforce. And, like any engine, they need preventative maintenance and careful running to keep them ticking over smoothly—which increasingly means ensuring they have good cybersecurity discipline.
That sounds like something we can help with, so if you want your small business purring and safe from cyberthreats, watch out for these three warning signs.
1. Thinking you are not a target
Perhaps the most egregious cyber-error a small business can commit is believing it is too small to have to bother with cybersecurity, because it thinks it’s too small to be a target.
Life would be a lot easier if there were a minimum size limit on the businesses that cybercriminals care about, but sadly, there is not. Sure, there are some nation-state actors and big game ransomware gangs that might give you a swerve. But for every attacker trying to land a whale, there’s a countless multitude trying to catch minnows in drift nets.
The threat to small businesses is so serious that in 2021 it was discussed by the Senate Judiciary committee. Ranking member Senate Chuck Grassley described the problem in these terms:
“Earlier this year, FBI Director Chris Wray compared the challenges of fighting ransomware to those we faced after 9/11. Estimates on the amount of ransoms paid in 2020 run into the hundreds of millions of dollars. Ransomware has targeted schools, local governments, and, during this pandemic, even hospitals and healthcare providers…An estimated three out of every four victims of ransomware is a small business.”Senator Chuck Grassley
Believing you can add security later means avoiding the basics now. And that leads to critical mistakes like using old, unsupported versions of Windows and macOS; not updating third-party apps; giving everyone admin access to everything; turning on RDP when you don’t need it (and failing to secure it when you do); leaving unused, unnecessary, and unsafe ports open at the firewall; saving passwords in plain text; not enforcing minimum password complexity standards; not using multi-factor authentication (MFA); and using unpatched, on-premises versions of Exchange.
It is never too soon to do these things—the longer you leave it, the more expensive and difficult they become. Be in no doubt: Cybercriminals will try to use your Exchange server to spread ransomware, they will try to brute force your RDP, they will try to inject skimmers into your website, they will try to exploit your browsers, they will try to fool you into downloading malware, they will try to phish your logins, and they will send you more malicious attachments than you’ve had hot dinners (and your employees will click them).
2. Waiting for bad things to happen
Our second red flag to watch out for is a lack of proactivity in your security.
Last year I interviewed a number of small business IT people. For all of them, security was important, but it was typically one of many responsibilities being handled by a small staff. Most of their time was spent firefighting one IT problem or another, and so, outside of a weekly check, their endpoint protection montioring went largely unattended unless it too was (figuratively) ablaze.
According to Taylor Triggs, one of our Malware Removal Specialists, that seven day gap between checks is big enough for an attacker to drive their coach and horses through.
Ransomware attacks typically start with some kind of network breach. This is often followed by activity that escalates an attacker’s privileges, lateral movement through a network, and finally encryption of the victim’s data. Each step generates behavior or artefacts that can tip off sharp-eyed threat hunters to the presence of an attacker, before the ransomware gets to work.
Right now, Triggs says, the most common problem he’s seeing in small and medium-sized businesses is a combination of unpatched Exchange servers and those unattended alerts:
“Many of the ransomware cases we have seen recently have started with Exchange servers still vulnerable to Hafnium. Customers with EDR had alerts showing that a Hafnium breach was the initial compromise before encryption occurred but they ignored the alerts.”
“Waiting for things to happen” is often a symptom of not hiring qualified IT staff, having too few IT staff, or not having the appropriate security skills and awareness among IT staff.
3. Assuming everything will be OK
Any breach that goes unnoticed or is left unattended can lead to ransomware, and the target of modern ransomware operators is not a computer, it is your entire organization. That makes ransomware an existential threat. You might not get hit by an earthquake every day, but that doesn’t excuse you from planning for one if you’re at risk, and ransomware is an earthquake that can hit any small business.
Failing to plan is planning to fail, as they say, and the symptoms of failing to plan are:
- Not having having an incident response plan
- Not making backups
- Not testing that your backups work
- Not keeping backups beyond the reach of attackers
If the worst happens, you will wish you had planned your response in advance. You will wish you knew how to identify and isolate an attack; you will wish you had decided what data and assets you care about most, which you want to restore first, what that will take, and who will do it; and you will probably wish you had rehearsed it all. You can read more about how to prepare for a ransomware attack by downloading our Ransomware Emergency Kit.
If you simply assume it won’t happen to you, or that you’ll be OK if it does, you may be left with no option but to pay an extortionate ransom for a criminal’s decryption tool, and you really want to avoid that. The tools frequently fail, and your willingness to pay will lead to repeat attacks.
If you want to know how it feels to be attacked by ransomware without actually having to go through it yourself, listen to our podcast interview with Ski Kacoroski below. Ski is a sysadmin who was brave enough to speak openly about his race against a real-life ransomware attack and his candid interview is a warning against the complacency of assuming everything will work out.