Ransomware Attacks Can Prove Fatal To Small Businesses

Small businesses can be fatally hurt by a successful ransomware attack.

A ransomware attack attempts to extort payments from businesses in exchange for information held hostage on their computer.

Malware volume skyrocketed in 2016, increasing by more than 800 percent from the previous year with ransomware profits soaring to nearly $1 billion, by FBI estimates.

According to Troy Gill, manager of security research, AppRiver, Ransomware can infiltrate any business as follows:

  • Email spam continues to be the most popular way to spread ransomware via attachments, links and with social engineering.
  • Web browsers permit users to download and execute code from any external web site. As with email, one click can put your business at risk.
  • Security updates and software patches can be annoying, especially if they require restarting the computer or mobile device. As a result, many users postpone them, sometimes leaving an open door for attackers.

While technology solutions are critical to maintaining security, the weakest link in any business is not the software, it’s the staff. This liability can be drastically reduced with effective staff training. A well-educated staff can catch the first signs of phishing scams and save a small business from unknowing damage. By increasing awareness of social engineering techniques, employees can make more informed decisions about emails and web content to better protect data and systems.

One of the best defenses is to implement consistent end-user training as well as implement and enforce email polices. Email policies should be created in a manner that reduces risk of an attack, while addressing your organization’s specific challenges and goals. Consider the following basic policies for internal emails:

  • Don't send e-mail in HTML format
  • Don't send unrequested attachments or hyperlinks
  • Don't include or ask for personal information
  • Use the full name of the user

You can determine potential vulnerability by establishing a baseline of end-user security practices. Nearly 80 percent of organizations miss this critical step because they don’t conduct security testing.

Here are some things to consider when implementing a security testing program:

  • Penetration testing: Sending end users suspicious — yet harmless — emails to gauge whether they open them, respond to them or click on embedded links. This is a good way to see how susceptible your organization may be to attacks. Follow-up: Should an employee improperly interact with an email during penetration testing, it’s critical to discuss the exercise as soon as possible and further emphasize best practices.
  • Quizzing: Throughout the year, implement mandatory quizzes to test staffers’ knowledge of data management best practices. This can help determine how well policies are being followed and guide areas of training improvement.
  • Hackers are constantly adapting and improving their weapons of choice, so you must be diligent. Make sure your users are well educated; initiate a multi-layer security approach and have a thorough backup plan in place. While training by itself will not completely solve security-related problems, it will bolster your first line of defense.

About the Author

Troy Gill is Manager of Security Research for AppRiver, a global provider of cloud-based cybersecurity and productivity solutions for businesses. For more information about protecting best practices and employee training tips to protect your business from the latest threats download AppRiver’s free guide at http://411.appriver.com/emea-ransomware-whitepaper.