If global banks, utilities and governments find it nearly impossible to defend against cyber-attacks, then spare a thought for those dealing with SME cyber security
Heightened interest in SME cyber security issues has driven a large increase in the number of small and medium businesses who are becoming more cyber aware according to leading online accountancy software provider MYOB.
The latest MYOB Business Monitor survey highlights that 70% of New Zealand SMEs now register concerns with one or more SME cyber security risk areas, an increase of 10% in just six months, with awareness up across all categories.
“This is a hugely significant result and highlights the increasing appreciation amongst small business owners of the importance of good cyber security processes and working with trusted partners to make sure their data is secure,” says MYOB New Zealand General Manager James Scollay.
The survey of more than 1,000 SME customers conducted for MYOB by Colmar Brunton reveals that the risk of hackers gaining access to data is the leading online security issue, with 56% of SMEs highlighting concerns in this area, up from 42% in Sept 2015. Losing access to data was also high on the awareness list, concerning 50% of SMEs surveyed – up from 37% in Sept 2015.
|Concern||March 2016||September 2015|
|Hackers gaining access to data||56%||42%|
|Losing access to data (ransomware blocking)||50%||37%|
|Losing control of data (ransomware blocking)||46%||32%|
|Competitors accessing data||19%||11%|
|Data surveillance by local governments||18%||10%|
At the same time SMEs in the UK are finding out that expensive SME cyber security is often powerless to stop extortion. As a UK-based building consultancy discovered the hard way what being hit by ransomware means. One minute the company is a functioning business, the next it’s being extorted by people it has never met, a threat it hasn’t heard of and crime it didn’t even know existed.
The firm later traced the fateful infection by a ransomware variant called DMA Locker back to an email attachment opened in Outlook at 21.46 on 6 March, a vulnerable moment because it happened to be a Sunday, a day when most of the firm’s 30 employees were at home. As with so many ransomware infections, the simple act of opening one attachment became a gateway to a world of trouble. The malware immediately started encrypting files on the first PC before successfully reaching out to a series of attached network drives. With nobody around accessing those shares, nothing untoward was noticed until the next day by which time 90 percent of the files the company rated as critical to its business had been scrambled using AES-256 – or at least that’s what the malware claimed in the ransom message.
Most ransomware demands a modest ransom, usually between $500 and $1,000 in Bitcoins, but this one asked for £6,500 ($9,500), an unusually high price that strongly suggests that the attackers had carried out a targeted raid.
The SEM firm had only firewalls – no defense whatsoever against this kind of malware – which meant its only line of defense was antivirus software running on each PC. This layer failed to notice the ransomware, not surprising given that the variant was new. This inability of antivirus to stop aggressive ransomware makes such attacks similar to zero days.
The firm had no security team which meant that reinstating the encrypted files from backup was not an easy alternative. This is a common theme among SMEs but even larger organizations with staff on hand find locating backups and installing them a complicated issue that could take days or weeks.
It’s all part of the extortionist’s business model – the cost of reinstating encrypted files (assuming such backups exist for all lost files) – costs more than the ransom. An unknown but growing number simply pay up because it’s the cheapest option.
It’s a dark experience more and more UK SMEs and even large enterprises find themselves living though. Smaller firms are in greater danger because they often lack the knowledge to cope.
When ransomware strikes – lessons? Every firm needs to devise a plan as to how it will respond not simply to malware in general but extortion specific attacks such as DDoS, ransomware, web defacement, data breaches or a combination of all of the above. Having backups is a start but not on its own enough.
Most of important of all, companies shouldn’t wait for trouble to strike. Ransomware is not a new threat but it shows no sign of going away, far from it. It is evolving and the targeting is becoming better and better. Every and any company is at risk. Don’t ignore it; give yourself a chance by understanding the enemy.