Do you have £45 million to spare? That’s how much a ransomware attack cost Norsk Hydro in the first quarter of 2019. A total of 22,000 computers had their files forcibly encrypted (made unreadable without a particular key) across 40 countries in which the aluminium producer operates. It left employees stuck with good old pen-and-paper and using manual production lines where possible.
Norsk Hydro never paid the hackers’ ransom and was completely honest about what happened. Its approach was praised by both law enforcement and IT security experts since it didn’t end up funding future hacking attempts.
Unfortunately, companies are more likely to go against common sense and pay the ransom anyway. The reasons are various, ranging from improper (or no) backup infrastructure to needing to keep business afloat in more sensitive sectors, such as healthcare.
To be fair, there are some cases where paying the ransom would minimize damages (usually at the cost of company reputation). Still, those cases should come after all other options are exhausted. But why end up in those situations in the first place? An effective cybersecurity plan that evolves as new threats arise minimised risk.
The alternative is spending £72 million on system upgrades like the NHS after the 2017 WannaCry attacks. The choice seems simple here – but if you’re still not convinced, here are some more facts that will.
Cyber Threats Are Here To Stay
Ransomware attacks on such a massive scale seem to happen at least once a month nowadays. The entire American city of Baltimore was “held hostage” in May. A similar incident happened in Greenville, North Carolina the previous month.
Massive attacks aside, cybercriminals tend to target small businesses due to fewer investments in their cybersecurity infrastructure. It’s predicted that a new organization will be affected by such an attack every 11 seconds as soon as 2021.
This still doesn’t compare to the ever-looming threat of phishing attacks. Phishing is a form of social engineering where attackers use of fake emails and/ or websites to gain valuable data from their target and cause serious damage. According to the Cyber Security Breaches Survey, phishing is the number one cyber threat affecting businesses and charities across the country.
It is relatively simple to perform, inexpensive, monstrously efficient and attackers see no reason to stop. Organizations need to training all staff to recognize and avoid malicious emails and doubt every website that asks for sensitive data and so on. It might be a costly investment, but certainly less so than the potential expenses of recovery.
Vulnerabilities Are Found Every Day
It’s no secret that public Wi-Fi is a hotbed for hacking and other illegal activity. Allowing staff to work remotely has some advantages. What better time to squeeze out that late report than waiting at the airport or a café? But the risks far outweigh them.
Yet even secured business networks may be a hazard due to exploits found in the very design of Wi-Fi encryption. Let’s take WPA2 (Wi-Fi Protected Access 2), the current standard. Its authentication process is affected by KRACK (Key Reinstallation Attack). This allows hackers to break the encryption – meaning easy access into company transmissions. WPA3, the successor to WPA2, was supposed to fix this. Spoiler alert: it hasn’t. In fact, it may have created even more avenues for attack.
It is, therefore, thus up to businesses to take matters into their own hands to secure their data. As the vulnerabilities discussed above are related to encryption, choosing the right VPN software providers is an inevitable first step.
A VPN (Virtual Private Network) encrypts or obfuscates data you send and receive over a network. It makes it unreadable to those without the encryption key. But instead of an attacker locking your files away, you keep the cybercriminals out of your business. You can install VPN software on almost any device, even on the routers themselves.
This makes it an ideal solution for work environments with plenty of smartphones, tablets, laptops, and so on. Each of these devices can be used as a point of entry into your network. Securing them all should be a priority.
It Might Get Too Complicated
Small and medium-sized businesses (SMBs) have a distinct advantage against corporations that span entire continents. It is much easier to implement cybersecurity measures on a smaller scale. Imagine having to overhaul outdated, single password-based security systems and switching over to biometrics, or multi-factor authentication for thousands and thousands of devices.
Just the thought of it is intimidating, not to mention the costs. Getting a head start in up-to-date cybersecurity tech and practices right now can hurt wallets in the short-term. Business owners will be glad they called in that security expert when they read about the latest data breach in the papers.
Cyber Criminal Numbers Are Growing
The days when hackers were isolated cases from the US or Western Europe doing it for fame and money are past. It’s extremely easy nowadays to find hacking tools and tutorials online. Teenagers can hack into school Wi-Fi to avoid tests. Imagine somebody with a bit more experience and foresight doing that to an SMB.
Hundreds of millions of people from all over the world may engage in cybercrime for more than just monetary gain. They may be motivated by personal political agendas, for their governments’ interests, or out of a simple desire to cause chaos. Any of these people could consider it a benefit to target SMBs to further their goals. Do you have the right protection in place in case you get caught in their crosshairs?
ProPrivacy is the leading resource for digital freedom. Founded in 2013, the site’s mission is to help users around the world reclaim their right to privacy through research, reviews, knowledge-sharing, investigations and direct action.