Protecting Small Businesses From Ransomware on a Budget

If your organization is hit with a ransomware attack, it's going to cost you. According to Verizon's "2023 Data Breach Investigations Report"(DBIR), released earlier this month, the median loss to a ransomware attack has risen to $26,000 and can go as high as $2.25 million.

"[T]he overall costs of recovering from a ransomware incident are increasing, even as the ransom amounts are lower. This fact could be suggesting that the overall company size of ransomware victims is trending down," the DBIR team wrote.

Much of the expense comes from the loss of business and recovery time. The average ransomware attack has a life cycle of more than 300 days. That's nearly a full year in which the organization is tied up with discovery and remediation — and almost two months longer than other types of cyber incidents. And then there are other costs to factor, such as long-term damage to the corporate brand and reputation, as well as loss of institutional knowledge when the employees who are held responsible for the attack are let go.

The costs surrounding a ransomware attack could cripple small and midsize businesses (SMBs) and even cause one to shut down. But it doesn’t have to be that way. Even for SMBs with tight IT/security budgets and limited security expertise, ransomware protection and recovery boils down to planning ahead.

The best way to avoid the high costs of a ransomware attack is to avoid being a victim, but protection and detection tools also come with hefty price tags. How much a company will need to pay depends on the number of employees and devices it needs to protect, but even a company with as few as 50 people can spend five figures on ransomware protection. Cyber insurance to protect the business in case of an attack could add at least $1,500 per $1 million in coverage, depending on the deductible.

Note that getting cyber insurance for ransomware is not easy; many insurance agencies are limiting coverage because of the high payout costs.

Organizations also need to think about the cybersecurity approach they want to take. How cybersecurity teams approach ransomware defense has changed over the years, says PJ Kirner, CTO and co-founder of Illumio. Cybersecurity has shifted from perimeter defense (setting up a secure perimeter to keep the bad guys out), to rapid detection (detecting and stopping as quickly as possible), to containment (limiting the amount of damage the attackers can cause once they break in).

Which approach an SMB decides to take determines the type of tools and protective actions it will need. A company deciding to contain malware would make investments to beef up authentication and privilege management in order to validate all users and devices before granting access to any transaction. A company focused on perimeter defense would have very different investments, requiring firewalls and other methods to keep attackers out of the network.

While an organization can adopt any number of security systems and tools, SMBs should consider the following actions, regardless of their overall security approach.

1. Decrease the Attack Surface

Applying the concept of least-privilege access can close the door against ransomware attacks. The fewer people with access to applications and databases, the lower the chances for cybercriminals to also gain access and get in. Audit your users' roles to make sure they have access only to the software and services they need, especially if the software processes sensitive data.

For example, explains Kirner, Remote Desktop Protocol (RDP) is a popular access point for threat actors to get into a Windows system and launch ransomware. But RDP is most often used for IT help desks and troubleshooting. Most employees across the business have no need to have RDP accounts, yet they might have RDP enabled on their machines. Kirner advises revoking access if employees have no reason to have those accounts.

"Remove all that attack surface from your environment," Kirner says. "This is something you can do proactively and reduce the impact of ransomware."

Also worth disabling — especially in a Windows environment — is PowerShell. Attackers are increasingly using PowerShell in malware-less attacks. The average user is never going to use it, so it's better to disable it when setting up the user machine. Similarly, keep track of what accounts have been created on the network or for cloud applications and services. If the employee no longer needs it or has left the company, remove that account entirely. Cloud access security broker software can help manage and monitor employees’ cloud activity and enforce security policies.

2. Shift the Costs to the Attackers

Another way to make your organization less attractive to bad actors is to make launching an attack more costly for the cybercriminal. Something as simple as restricting access to unnecessary applications shifts the burden to the attacker. If the attacker can’t do much with the application despite having user credentials — maybe they can only view reports but can’t extract data — the attacker has a choice of moving on to easier victims or working harder. Similarly, requiring multifactor authentication adds another roadblock for threat actors because just stealing credentials is no longer enough. Many types of MFA can fit an SMB's budget and security expertise, including biometrics, hardware tokens, and even the employee’s phone.

Attackers are economic actors, just like any other business, Kirner points out. "When they run out of time, they'll go to an environment with less security controls," he says.

3. Improve Your Security Hygiene

Good security hygiene is important, regardless of company size.

The first step is to build an internal security culture around cybersecurity awareness and guidance, explains Dave Gerry, CEO at Bugcrowd. That doesn’t just mean watching security videos and calling it a day. Encourage open communications and give employees the confidence to report anything that seems suspicious.

Explain which external services and resources are allowed and why there are restrictions. Make it easy for employees to go through an approval process for getting access to tools so that they aren’t just going off and creating their own accounts.

Use modern training materials. Security companies are now producing training videos that are episodic, like sitcoms, or use techniques from reality shows that entertain as well as educate.

Gamification, such as setting up contests or offering rewards when designated milestones are met, also creates an environment where employees want to improve their security practices. Human error is a top cause of cyberattacks. When employees are encouraged to take an active role in cybersecurity and understand the consequences when they don't, you add another cybersecurity tool at little cost.

4. Don't Fail to Plan

Prevention is important, but every organization should have a plan in place to mitigate an attack when it happens. The company should know who will be involved in mitigation and recovery, as well as how to handle the negotiations.

For example, because of the possibility that a ransomware attack can lead to permanently shutting down an SMB, many plan to pay the ransom. That requires setting a budget on how much to pay. If the organization does not already have a cryptocurrency wallet or access to cryptocurrency, that will make payment a bit difficult. SMBs are already working with managed service providers, consultants, and contractors. It may be worth lining up a ransomware negotiator ahead of time, who can spring into action when needed. The same goes for a computer forensics team to help figure out what is happening on the network and how to remove the ransomware.

Priority No. 1 has to be a strategy, says Joseph Carson, chief security scientist at Delinea. A ransomware attack isn't a typical incident, he points out. It will make you unavailable to your customers and, in worst-case scenarios, put lives at risk. No matter how small your budget, it is essential to think about what ransomware defense should look like but to also plan out what is needed for a successful recovery.