SMBs are not immune from ransomware attacks

As hackers evolve, they increasingly set their sights on small and medium-sized businesses
Shilling, Cameron72

Cameron Shilling

Hackers are intentionally targeting small and medium-sized businesses and are likely to continue doing so for the foreseeable future.

Headlines certainly have exposed recent breaches of large and sophisticated companies (like Marriot, Equifax and Yahoo!), big governments and agencies (like the federal Office of Personnel Management and the state of Texas) and prominent educational institutions (like Harvard and the University of Connecticut). But it would be a mistake to believe that hackers target only those types of organizations.

No business is immune from cyber threats. In fact, small and medium-sized business (SMB) are just as valuable targets as large organizations, because we commonly possess significant amounts of sensitive personal information about customers, vendors, employees, students, etc. Also, SMBs are generally more vulnerable, because we often do not have comparable resources to invest and have not allocated the time required to implement appropriate safeguards.

Ransomware attacks perpetrated a few years ago typically only encrypted computers and servers, yielding a demand for ransom to obtain the decryption key. Cybersecurity evolved to counteract that threat, particularly through a combination of advanced activity-based applications that detect ransomware activity and deactivate systems before all data is encrypted, with robust backups that can be used to restore encrypted systems.

As a consequence, hackers evolved too. Now, sophisticated ransomware is typically undetectable by routine anti-malware, and both extracts data from computers and encrypts it. Thus, if the target business refuses to pay the ransom to decrypt its systems, the hackers re-demand ransom to refrain from selling the stolen information on the dark web.

No target is too small

In years past, hackers may have focused more of their efforts on larger businesses that accumulated credit cards, social security numbers, governmental identification numbers, financial information, and health information. That is not true anymore.

Because big firms generally have invested in cybersecurity, smaller ones are now much softer targets. Also, while the foregoing information remains generally valuable, some of it (like Social Security numbers and government IDs) have been broadly compromised already, and other types of information (like credit cards and financial accounts) are surrounded by sophisticated protections.

Broader personal information is now equally or more valuable for hackers to perpetrate identity and financial crime. For those purposes, the information that SMBs commonly collect is prized, like information about financial and business transactions, travel, purchasing activity, family relationships, social interactions, usernames and passwords.

Moreover, hacking has increased its efficiency by industrializing the criminal enterprise. Criminals now specialize in code writing, phishing, deploying attacks, collecting and aggregating data, and perpetrating crime. That efficiency, in combination with greater automation in phishing and deploying attacks, have enabled hackers to exponentially expand their target population.

Not to be ignored

Two big hurdles faced by SMBs are a lack of knowledge about how to address cybersecurity, and a misconception that doing so will be too expensive or disruptive. Neither are prohibitive barriers.

Many articles and other resources (such as through the National Institute of Standards and Technology or NIST) exist to educate us on this topic. Also, the market now has a greater selection of information security professionals qualified to provide services to a wide variety of SMBs.

With respect to cost, there is good news for SMBs. Their relatively smaller technological and physical footprint generally makes it is easier and cost effective to assess their vulnerabilities and implement reasonable safeguards. By contrast, larger companies commonly have established technology systems and physical facilities that may have been designed without addressing current cybersecurity controls, which means that they may have more vulnerabilities that can be costly and operationally challenging to mitigate.

Additionally, all businesses allocate a certain amount of resources to technology, and an experienced professional can help configure that same budget to incorporate cybersecurity safeguards with limited additional cost.

Business leaders who have experienced hacks know all too well that we cannot afford to ignore these risks. Ransomware cripples a business for days or weeks, can be exorbitantly expensive (particularly if a business has no insurance coverage for it), and often results in lost customers and revenue. Hackers will continue to target small and medium sized businesses. So SMBs need to take action now to protect ourselves.

Cam Shilling, founder and chair of McLane Middleton’s Information Privacy and Security Practice Group, can be reached at

Categories: Law, Legal Advice, Tech Advice, Technology