Small Business. PHOTO: Cybercrime Magazine.

Ransomware’s Rising Tide Is Threatening To Capsize Small Businesses

Global damage costs predicted to exceed $10 billion in 2021

David Braue

Melbourne, Australia – Jul. 28, 2021


Among its many repercussions, the recent compromise of IT service provider Kaseya left an estimated 1,500 companies — most of them small businesses — struggling to recover after their systems were locked by ransomware in a vicious supply chain attack.

The breach was the latest in a series of high-profile attacks this year, but its impact on small businesses, in particular, was a reminder that cyberattacks are an equal-opportunity plague.

And for every ransomware hit on software suppliers like Kaseya, or every compromise of major multinationals like Saudi Aramco, thousands of small businesses are suffering similar disruption — usually without the support of dedicated cybersecurity teams or expensive backup and recovery infrastructure.

The results can be catastrophic: Cybersecurity Ventures predicts ransomware damages will cost the world $20 billion in 2021, and grow to $265 billion by 2031.

With small businesses globally being victims to more than half of all cyberattacks, the total ransomware damage costs they’ll sustain is estimated to exceed $10 billion.

Cybercrime Radio: Small Businesses at Cyber Risk

Johan Gerber, EVP Security & Cyber Innovation at MasterCard

This sort of financial loss can drown small businesses — 88 percent of whom, a recent U.S. Small Business Administration (SBA) survey found, admit they are vulnerable to a cyberattack.

The increasing vulnerability of small businesses was reflected in the 2021 Verizon Business Data Breach Investigations Report (DBIR), which noted that small businesses were targets in fewer than 50 percent as many breaches as large organizations — but that this had increased to 85 percent as many in 2020 amidst last year’s frenzy of cybercriminal activity.

“For the first time since we began to look at this from an organizational size perspective, the two groups are very similar to each other,” the report’s authors wrote, “and at least pattern-wise, this seems like a ‘one size fits all’ situation…. [and] we saw fewer internal actors doing naughty things with their employer’s data.”

Like their larger counterparts, small businesses are primarily being targeted by “financially motivated organized crime actors,” Verizon concluded, with stolen credentials and web application attacks widespread as cybercriminals seek to gain privileged access and install malware on their victims’ networks.

Interestingly, despite being faster to the punch in 2019 — when one survey found two-thirds of small-business respondents believed they weren’t vulnerable to cyberattacks — last year the tables had turned.

During 2020, small businesses became less likely to discover breaches within several days than their larger counterparts — with just 47 percent of small businesses discovering breaches within days, compared to 55 percent of large businesses.

This may be due to the growing sophistication of cyberattacks, distraction from the many competing challenges of the COVID-19 pandemic, or lack of financial resources to properly address cybersecurity risks.

Such issues were flagged early in the pandemic, when the Cyber Readiness Institute found that, despite the rapid acceleration of the pandemic — and growing understanding that widespread remote working would pose an existential threat to small businesses — only half of small business owners were worried about the threat of more cyberattacks.

And while 40 percent said that economic uncertainty would prevent them from making “necessary cybersecurity investments,” just 22 percent said they provided cybersecurity training before setting their employees loose — and only a third of small businesses (those with fewer than 20 employees) provided any cybersecurity training at all.

“Now, more than ever, cybersecurity affects the ‘business’ of nearly every company,” Cyber Readiness Institute managing director Kiersten Todt said. “These are extremely challenging times for companies, especially small businesses, as revenue and resources are as unpredictable as they have ever been.”

“Ransomware is the greatest cyber threat to small businesses globally,” says Steve Morgan, founder of Cybersecurity Ventures. “We’ve seen small businesses go out of business after being hit by ransomware attacks.”

The problem, and how to fix it

If 2020 was a small business masterclass in the reasons why ignoring cybersecurity can be perilously ignorant, 2021 is shaping up to be the sting in the tail.

In the absence of bigger cybersecurity budgets and teams, small businesses are likely to continue struggling in the face of the growing tide of cybersecurity attacks, with the breakaway success of ransomware ensuring that the cybercriminals aren’t likely to give up any time soon.

Recognizing that cybersecurity Darwinism is not a viable long-term strategy, the past year has seen a flurry of top-down support for small businesses from government bodies like the SBA, which hosts regular free webinars aiming to educate small-business owners about cybersecurity issues.

For its part, the Cybersecurity & Infrastructure Security Agency (CISA) late last year launched cybersecurity guidelines called Cyber Essentials, and a set of small business resources designed to guide small businesses towards better cybersecurity.

“When it comes to collective defense, we are only as strong as our weakest link,” former CISA director Christopher Krebs said in explaining that the resources “are designed for those small businesses and local governments who don’t have abundant resources — where the CEO is also the chief information officer, head of marketing and HR — who are looking for where to start.”

“This is a set of cybersecurity practices that are easy to adopt and understand and together constitute ‘the basics.’”

Yet as every cybersecurity professional well knows, there is a long way from learning ‘the basics’ of cybersecurity, to building and operating a robust IT infrastructure capable of withstanding today’s vicious cybersecurity climate.

Cybercrime Radio: Mastercard’s Trust Center

Cybersecurity resources for small businesses

Pressured as they already are, many small-business owners will continue to limp through the cybersecurity maelstrom, waiting in dread for the day they are also hit by attackers.

More proactive small business operators will understand that effective security requires much more than installing antivirus software. And the more they appreciate the importance of cybersecurity, the more small businesses are also likely to appreciate the range of support tools and services that can help them accelerate their cybersecurity defenses faster than they could on their own.

Outsourced email security, incident response, managed detection and response, and other capabilities suit the time-poor, cash-poor, people-poor situation of small businesses trying to stay solvent in the ‘year of ransomware’ — every year, really, but particularly 2021 given the number of successful large-scale strikes so far.

Ultimately, small-business cybersecurity continues to grow fitfully. There will undoubtedly be many more victims before enough small businesses even get up to speed with the basics to deter a determined hacker, and even those companies spending enough to protect themselves aren’t guaranteed to be safe.

The key is for small-business owners to just try — and to make real, focused efforts to not only improve their own knowledge, but to identify and purchase appropriate services that give them access to the data-protection services they need, and the security professionals they can’t afford to employ on their own.

Cybersecurity Ventures predicts ransomware will attack a business every 11 seconds in 2021, and in a decade from now that will increase to every 2 seconds. The clock is ticking, and small business founders and CEOs need to adopt a new and more serious cyber mentality.

Thinking about cybersecurity like a large business — but acting and spending like a small one — is the only way to ensure small business survival. Getting adequate cyber resilience is a journey of a thousand miles – so don’t waste any more time in taking that first big step.

Mastercard Archives

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

Brought to you by Mastercard

Small businesses are the backbone of economic growth. The needs of small businesses have not changed during the pandemic, but they have grown more acute. With cyberattacks on the rise, small businesses are a huge target. 

Quite often cybersecurity is an afterthought for many small businesses. Many do not have the resources of larger organizations to defend themselves and act once breached. And it’s often difficult to recognize that improving the cybersecurity of one’s business is within one’s control.

Our goal is to change that. This is why we created the Mastercard Trust Center — to help small businesses defend their most important assets — their business and their reputation, through free online access to trusted cybersecurity research, education, resources and tools.

It’s our mission to bring the Mastercard Trust Center to every small business, everywhere, enabling owners to feel more secure and better equipped to thrive against uncertainties.