It's a Net, Not a Harpoon | Why Ransomware Threatens Small Businesses

It's a Net, Not a Harpoon | Why Ransomware Threatens Small Businesses

July 27, 2021


We hear it all the time: “our company is too small to be targeted by hackers. Why should we worry about cybersecurity and ransomware if we don’t have anything worth the effort of stealing?”

But not every cyberattack is targeted. It’s like spam email: if it takes the same amount of effort to send one email as it does to send a hundred thousand, then why not send to as many recipients as possible? Likewise, cyber attackers only have to breach one organization for their efforts to be worthwhile, and they’re not picky about who they catch.

Even if your small organization’s data isn’t particularly valuable to them, the attackers are still betting that it’s valuable to you. And if you don’t pay the ransom they demand, it’s nothing to them; since it took so little effort, they don’t need to care. They can just move on to the next net, and the next catch…and leave you stuck.

The Many Types of Nets

And there are plenty of catching methods available to these bad actors. These range from hardware exploits to phishing campaigns, and can either happen in the background or be dependent on some degree of user error. There’s no way to list every type of attack, but some of the most common vectors – explained here in further detail by the Cybersecurity and Infrastructure Security Agency (CISA) – fit into these four general groups:

Broad-spectrum phishing

We’ve talked about phishing campaigns before: spam emails that pretend to be official correspondence to manipulate the recipient into clicking an embedded malicious link. These are the most common type of attack, and despite being frequently mocked as “simple” or “obvious”, they still fool recipients every day. Even a single click to the linked webpage can be enough to infect your device, and some emails are very cleverly designed (see our dedicated session “Catching A Phish” for some examples).

Hardware/software vulnerabilities

These are flaws in an organization’s back-end infrastructure, such as firewalls, servers, switches, and operating systems. Depending on the tool, these vulnerabilities can be exploited at scale with some simple research, attacking thousands of internet-facing devices that meet certain criteria (the recent Microsoft Exchange vulnerability is a perfect example of this type of attack). Because these attacks target back-end systems, they require no end-user input and can happen without you ever noticing…until the attackers spring the trap.

Malware infections

These are malicious programs designed to download themselves onto your device while you’re browsing the internet normally. Programs like these are the reason for the advice “don’t click popup ads,” but cleverer programs don’t even need to be clicked – just loading the webpage they’re on can be enough to trigger them. Again, these can happen without any specific end-user behavior; although they are more common on shady websites, even popular and well-respected sites can be an attack vector.

3rd Party and MSP attacks

Instead of trying to breach individual organizations, these attacks go after business-to-business vendors that provide services to those organizations. By exploiting the trust these vendors have already obtained, bad actors can piggyback off their access to breach their clients. The recent Kaseya hack is a perfect example of this kind of attack: bad actors gained access to numerous Managed Services Providers (MSPs) and used their security connections to encrypt thousands of organizations’ data. It didn’t really matter how strong the locks were, because the hackers had mugged the maintenance guy for his copy of the key.

How to avoid the nets: presume that you can’t.

You may have noticed a common theme: many of these attack vectors are difficult or even impossible to completely safeguard. And that’s the unfortunate reality of modern cybersecurity: there is simply no way to predict and prevent every threat. No security provider – not even Mytech – can 100% guarantee you will be protected from every possible attack.

And because Mytech can’t guarantee a breach will never happen, we intentionally take the security design mindset of “presuming breach.” This means that we plan as if we expect a breach to eventually happen, and establish safeguards to both mitigate the extent of the damage and enable you to recover from any damage that is dealt.

Mitigate potential damage

The old days of relying on your firewall and an antivirus program are over. As threats evolve, new tools emerge to combat them, and many of these are becoming industry standards. One of the strongest improvements you can make to your IT security is implementing Multi-Factor Authentication. In a nutshell, this safeguard requires you to use two “keys” (a password and, usually, a cell phone app) rather than just one to access your device and accounts. Text passwords alone are relatively easy to steal, but compromising an entire second device is a much higher barrier to entry.

Other safeguards include network segmentation (which functions like quarantine checkpoints, stopping an attack from spreading to other devices), endpoint DNS (which detects and blocks web traffic from questionable sources), and Security Awareness Training (which educates your team members on IT security rules and psychology). These steps are some of the top strategies encouraged by CISA, and even though these safeguards can’t always prevent a breach, they can often mitigate its negative effects.

Prepare for the inevitable recovery

Of course, even all of this might not be enough to stop a sophisticated ransomware attack. That’s why reliable backups are critical to your information security: if your network is compromised, you can often restore to an older backup with confidence. Backups also aren’t “one size fits all,” so you’ll need to put in some time researching and selecting a backup that meets your specific needs, making sure you protect both on-premise data, as well as cloud data like Microsoft 365 accounts (which are not immune to disaster or ransomware!). However, the peace of mind provided by a good backup solution is worth the effort.

But selecting a backup solution alone isn’t enough: you also need to verify that it covers all your bases, is configured properly, and can actually restore you in a crisis. Imagine losing your data and attempting to restore it from the backup you’ve been investing in for years…only to discover your data will take days to recover, can’t be recovered, or maybe even wasn’t ever there! By verifying your backups regularly with actual simulated recovery tests, you can ensure that your data is there when the unthinkable happens.

Preparation amidst uncertainty

You can’t control much about the cybercrime world. You can’t 100% guarantee you won’t be caught in a cybercriminal’s net…no matter how much time, stress, and money you spend on your security!

However, by accepting this grim reality and “presuming breach,” you can instead spend your energy more productively: preparing for the day when it does potentially happen. Although no solution is perfect, you can drastically improve your organization’s security and mitigate the damage of potential attacks with strong cybersecurity safeguards and a robust backup solution that fits your needs.

If you’re starting to wonder how your organization would fare against a ransomware net, then no matter how small it is, the time to act is now…not after the attack hits. With tools like our Information Security Assessment, you can get a clear picture of how prepared your organization is for modern threats. Or if you’re itching to talk to someone right away, check out our contact form, get your questions answered, and find out how we can Make IT Easy for you when it comes to cybersecurity.


Share this post