Posted on

How should SMEs and startups prepare to handle a ransomware attack?

ransomware attack

Ransomware attacks are on the rise worldwide, with the Asia-Pacific region alone experiencing a 168 per cent increase in 2021 compared to the previous year, according to Check Point Research.

Not only are ransomware attacks becoming more common, but they are targeting organisations across all sectors and sizes, especially Small-Medium Enterprises (SMEs) and startups.

With the average ransom demand now reaching up to US$180,000, hackers are always on the lookout for digital “open doors” into company systems. As such, it is crucial for organisations of all sizes to be aware of the cyber risks they face and build resilience.

The anatomy of a ransomware attack

Much like criminals in the physical world, cybercriminals are most effective when three key elements merge together: Motivation, resources, and opportunity.

The motivation behind ransomware attacks is primarily economic, as companies are often willing to pay millions of dollars to the attackers in order to have their files unlocked, systems restored, and business operations resumed smoothly.

As cybercriminals continuously upgrade their malware and their strategies become increasingly sophisticated, attackers are developing resources to conduct cyber-attacks of enormous magnitude and impact.

The WFH policy introduced during the COVID-19 pandemic has also exposed organisational cyber vulnerabilities, given that employees often use personal devices connected to home or shared networks which are far less secure than organisational ones.

Combined with bad cyber hygiene and a lack of general awareness of cyber best practices, organisations are at risk of a cyber breach now more than ever.

A matter of seconds

Last year, the number of ransomware reports Singapore’s Cyber Security Agency (CSA) received almost doubled. The increase can be linked to the emergence of ‘Ransomware-as-a-Service’ (RaaS), a business model which leases ransomware variants to their clients in exchange for a percentage of the ransom paid by the victim.

This way, people with little to no technical knowledge are able to launch sophisticated ransomware attacks on organisations.

Once it has penetrated a system, ransomware acts rapidly and can encrypt important files on every single device on the network. This can happen within hours, minutes, or even seconds, depending on the number of targets in the attack and whether the attacker has spent time silently monitoring and exfiltrating data prior to encryption.

Most importantly, time is of the essence. A few seconds can make the difference between securing valuable information or bearing the risk of losing data while having to pay out a much bigger ransom.

The length of time a cyber attacker has free reign in an environment from the time they get in until they are eradicated– is known as its dwell time.

Also read: The WannaCry ransomware attack is wreaking havoc across the world, here are 14 steps to protect your company

The longer attackers have access to a network, the more opportunities they have to collect vital data and cause disruptions across the company’s digital systems.

On a global level, the average cyber dwell time in 2020 was 56 days. However, Asian companies are performing much worse than their US and EU counterparts when dealing with cyber-attacks.

In Hong Kong and Singapore attackers are often able to operate undetected for much longer, with most cyber-attacks dwelling in systems between 90 and 180 days respectively, while others have lasted years.

Reducing dwell time through compromise assessments

With some of the highest dwell times worldwide, Asian companies can and should take steps to improve their proactive defence and address cyber threats on the front foot.

Organisations can start by keeping systems and patches up to date to ensure the attacker has fewer opportunities to leverage vulnerabilities in your computing environment. To augment this, deploying Endpoint Detection and Response (EDR) products and employing a professional incident response and digital response firm to conduct frequent and recurring Compromise Assessments ensures early detection of a cyber-attack and increases the chances of disruption.

A Compromise Assessment, or “CA”, answers the fundamental question: “have I already been breached?”, and can provide a measure of comfort for companies in knowing that they have a high degree of certainty of their safe status. SMEs should minimally conduct a CA once a quarter.

The CA provides a two-fold benefit. On the one hand, it  can detect the early stages of an attack by hackers who enter a network through a phishing link, circumventing the cyber defences in place since an employee was tricked into letting them in. These hackers are using the combined power of human intuition and qualitative thinking alongside the quantitative horsepower of computing.

As a result, deploying a digital solution alone is woefully inadequate against the combination of this human-computer one-two punch as it is logically only half of what the adversary is leveraging. In light of this, CAs deploy high-level cybersecurity specialists with various technological solutions and approaches to eliminate the unfair advantage enjoyed by hackers.

On the other hand, a CA can also catch active intrusions that various anti-virus and EDR solutions are unable to detect. If that is the case, the specialists transition immediately to quarantining, killing, and remediating the situation, logically resulting in less financial damage than discovering the attack once it is fully executed by the criminals.

Thus, one can easily see the importance of a recurring CA to disrupt attackers in this situation as it is akin to having security guards patrol the building on the hour versus purely relying on CCTV to detect everything on its own.

Finally, having a clear incident response plan, including a good cyber insurance policy which offers expert digital forensics and incident response (DFIR) services and management support in the event of a cyber-attack, enables teams to react in a controlled and proven manner, saving precious time and resources following an attack.

Ransomware: Everyone is at risk

The biggest misconception that exposes SMEs to cyber-attacks is the sense of “security through obscurity”.  Startups and SMEs tend to believe that they will never be targeted by cyber-attacks because they are not important enough.

This concept is no longer valid, as hackers are now looking to target the most vulnerable companies rather than the biggest ones.

Paired with the advent of RaaS numerous low-skilled “hackers” are now probing and attempting to deploy downloaded ransomware scripts to any company with an open port that they scan, which are often SMEs who have little to no investment in their cybersecurity.

This means that today 43 per cent of all cyber-attacks are against SMEs which lack structural preparedness and organisational cyber security awareness, but also the financial resilience needed to survive an attack.

Therefore, preparation is key to survival via proactive defensive measures CAs, as well as securing the human element via the education of employees on cyber best practices while ensuring that all systems are appropriately patched and protected.

Additionally, having a well-rehearsed incident response plan and playbook allows for immediate response in the event of a breach, which is most cost-efficiently handled via a comprehensive cyber insurance policy.

In the ever-changing world of ransomware attacks and cyber threats, startups and SMEs should not brush off investing in their cyber defenses simply because they are smaller or less visible in the same way that they would never leave their office unlocked, unsecured, and unchecked.

Proactively defend vital systems, diligently patch company software tools, and have a plan in place in the virtually inevitable event of a breach.

These methods will help organisations put their best foot forward when addressing cyber threats.

Editor’s note: e27 aims to foster thought leadership by publishing views from the community. Share your opinion by submitting an article, video, podcast or infographic

Join our e27 Telegram group, FB community or like the e27 Facebook page

Image credit: monsitj

The post How should SMEs and startups prepare to handle a ransomware attack? appeared first on e27.