As ransomware attacks continue to grow, debunking common falsehoods about how threat actors work can help buyers prepare.
When you think of ransomware attacks, you may envision a scene out of Hollywood: hundreds of computers all suddenly sputter to a stop at the global headquarters of a Fortune 500 company. But that’s rarely how these attacks occur. In fact, most threat actors go after small professional services firms—and do so through a file download or email with a malicious link.
As cybersecurity attacks continue to fill the airwaves, sifting through assumptions like the ones above are becoming increasingly important, particularly as buyers prepare for talks with insurance underwriters. Global ransomware reports were up 715% from 2019 to 2020, and payments jumped 60% in value since 2019. Thus, it’s important to distinguish between fact and fiction so that companies can think through how they can protect themselves from the next cybersecurity loss.
Here are five of the major ransomware myths that buyers should look out for:
1. My business is not a ransomware target
Healthcare institutions, schools, municipalities and larger organizations are often prime ransomware targets, but all businesses, of all sizes, are in the crosshairs of threat actors, who will often choose the easiest path to achieve their goals – attacking vulnerable companies that lack cyber defense and preparedness. That low-hanging fruit is often small and medium-sized businesses. Indeed, according to one estimate, 70% of ransomware incidents affected companies with fewer than 1,000 employees, and 60% of those firms had revenues of less than $50 million.
Further, more frequent and more severe attacks on small and medium-sized businesses are what’s helping to drive the increase in premiums being seen in the cyber insurance market these days. That’s why it’s critical for smaller businesses to ensure they have security measures in place such as multi-factor authentication on password-protected systems, control over who has access to sensitive information, and incident response plans that map out the steps the company should take to recover from an attack.
2. It’s only about data backup and encryption
As attackers have become more sophisticated, the backup of data and encryption is no longer enough, in fact threat actors are now exploiting data backups to put further pressure on victims. Threat actors are:
Encrypting back-up data, to prevent restoration of information in lieu of paying the ransom.
Capturing sensitive data, holding it as hostage and threatening to release it to the public if a ransom is not paid.
Should an attack occur, it is crucial that pre-arranged cyber professionals are engaged to thoroughly check what data may have been accessed by threat actors, as well as screen data back-up systems to identify and remove suspicious malware.
3. Ransomware losses are limited to payments
According to a survey by security firm Sophos, the global average cost to remediate a ransomware attack is $761,106—and paying the ransom actually doubles that cost to an average of $1.45 million. But the bigger impact for most organizations is the downtime and lost productivity associated with a ransomware attack. Business interruption losses have accounted for 60% of cyber insurance claims in the past five years. Additionally, 70% of ransomware attacks now involve the threat to leak sensitive data, which could cause additional expenses to the company from data breach standpoint, including potential costs associated with complying with state notification laws as well as privacy-related fines and penalties and much higher monetary and reputational losses.
4. Security software is enough protection
Security software alone will not protect an organization. What often happens is that companies aren’t pulling all the levers on software, which results in gaps where threat actors can work around the software. To protect against this, companies should create a cybersecurity culture that provides guardrails so that people automatically think twice before opening an email or pause before clicking on an attachment from an unknown sender. Ultimately, it’s every employee’s job to protect the organization.
5. Threat actors attack immediately
Attackers are getting increasingly good at waiting, and often are in company systems for months before they actually pull the trigger on an attack. Many of them use strategies that plan a bigger attack by starting with small disruptions and learning from them. And depending on what they’re looking for, the more specific—such as going after government entities—the more they’re willing to wait for the ideal time to strike or to try a range of techniques until they find the weak spot in an organization.
At a very minimum, organizations should have risk mitigation strategies in place, including guidelines for systems access and employing multifactor authentication.
This material has been prepared for informational purposes only and should not be relied upon for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.
 Coveware. Why Small and Medium-sized Professional Service Firms are a Big Target for Ransomware Attacks
 Bitfender’s Mid-Year Threat Landscape Report 2020, page 1
  Coveware. Ransomware Marketplace Report, August 3, 2020