According to Malware Bytes’ recent Second Annual State of Ransomware report, 20% of small businesses are forced to shut down after a ransomware attack. That just sucks.
For small companies, I get it. With less than one in two businesses making it through their first five years, many companies live on the edge and don’t have the time, resources or awareness necessary to take the proactive steps that will minimize the risk of being infected by malware and/or ensure they can recover if they are.
That’s a shame as it’s not really that hard or costly to put a basic ransomware survival plan in place.
As a starting point towards reducing your risk, having a very basic understanding of ransomware and how it gets on your systems can help significantly.
90% of the time, ransomware gets on your system via a phishing email that either contains a malicious hyperlink (which directs you to a website that loads the ransomware) or a document (e.g., a PDF or Microsoft Word file) that contains the ransomware. Ransomware “locks” your files with a key and then sells you the “key.” Even if you do buy the key, 40% of the time the files are not recoverable.
4 Ransomware Tips for Attack Prevention
The four most important things you can do to reduce the chances of becoming a victim of a ransomware attack (like the WannaCry attack in May 2017) are:
1) Use a SPAM filter on your email server/client.
This will reduce the number of malicious emails you and your users may receive and thus may mistakenly open. SPAM filtering is essentially free on Office 365 or Gmail, and free or inexpensive in most other cases.
2) Educate your users about phishing.
This can be as simple as putting together a slide deck and talking them through it a few times a year. Online education and phishing testing programs like our own Cyber Acuity program can be as inexpensive as $15 per user per year. With education, if a malicious email gets through your SPAM filter, the chances the recipient will open it are notably reduced. Be sure to educate your users on what they should do in the vent they receive or open a phishing email.
3) Patch your systems.
Simply put, enable automated patches on your systems. Windows makes this very easy. It takes one minute and costs nothing. You still need to remember to update your browsers (if you don’t use Internet Explorer or Edge), Adobe products, and any other third-party software. But if your patches are up-to-date, if an email gets through your SPAM filter and your educated user still clicks on it, there is a good chance your system will not be vulnerable to the attack—so it will fail.
4) Backup important data.
Most operating systems make it relatively easy to backup data. Automated cloud backup services like Carbonite or iDrive are reasonably priced without any upfront costs. If your data is backed up, even if the email gets past your SPAM filter and your educated user still clicks on it and the system is vulnerable and the ransomware successfully encrypts your files, you’ll have backup copies.
Ransomware is a nuisance at best, and a potentially deadly threat to unprotected small businesses at worst. But if you take the above steps, your business will survive.
For more tips on ransomware prevention, contact Pivot Point Security.