Since 2016, searches for ‘ransomware’ have increased 877 percent, and ransomware payments have become a multi-million-dollar business, according to Google. More and more hackers are targeting small to midsized businesses (SMBs) more frequently than large enterprises, but many don’t have the right tools to protect themselves, or realize the risks. 

According to the SEC, 60 percent of SMBs who suffer a cyber-attack go out of business within six months. Why? For many SMBs it may seem cheaper to pay a ransom than to invest in sufficient cyber protections or, after an attack, conduct a post-breach assessment. Proactive preparation for the technical and financial impact of an attack is the best defense. 

Jason Hogg, CEO, Aon Cyber Solutions, sat down with Inside Counsel to discuss what SMBs should be doing to protect themselves and their bottom line, as well as provide cost-effective best practices for businesses looking to address the risk before they become the next victim. 

The increase in attention that ransomware is receiving reflects the sharp increase in ransomware attacks against companies, and the rise in the financial damage that these attacks have been causing. Research has found that ransomware has risen over 250 percent during the start of 2017, and another report predicts that ransomware damage costs would exceed $5 billion this year. Largescale incidents like WannaCry and NotPetya within the last year have brought more awareness to the damage these incidents can wreak, and are a wake-up call to businesses to think about the levels of protection they have in place. 

Typically, through ransomware attacks, hackers can extort anything from a few hundred to thousands of dollars. Many organizations look at the cost of the fine and weigh that against what they believe are the huge costs of proactively implementing cybersecurity practices. Many feel the most cost-effective thing to do is just to take on the risk and then pay the fine if they get hit, so most companies decide to pay up. 

“This is flawed logic, however, as the costs of the ransomware attack extend far beyond the cost of the ransomware payment itself,” explained Hogg. “The financial impact that ransomware causes through interrupting normal business operations while the attack is being dealt with and files are held hostage is significant. Because small businesses tend not to have appropriate protections in place, they are often the worst hit – with recent studies showing that downtime and the potential of businesses paying the hackers costing SMBs over $100,000 per incident. In total, ransomware attacks have cost SMBs more than $75 billion in damages and payments.”


To conduct a successful ransomware attack, per Hogg, a hacker relies on a company’s lack of preparation – for example, its inability to recover its files from regular back-ups, and prevent the ransomware spreading throughout its systems. It’s because of this reason that attackers are increasingly targeting SMBs – they tend to be easier to catch off guard, meaning the attackers can more easily recoup a ransom payment, or simply cause severe business downtime. 

“This is because SMBs usually have fewer resources to invest in the preventative measures that help them fend off an attack – such as training and awareness among employees and creating regular data back-ups,” he said. “They are also less likely to have the resources to invest in creating a solid business continuity or recovery plan to put into action if they are attacked, including having a cybersecurity firm on IR retainer.” 

In a recent small business survey, only two percent of the small business owners surveyed said they viewed the ransomware threat as their most critical issue. Hackers have breached half of the 28 million small businesses in the U.S. In addition, many SMBs feel they are not able to prioritize cybersecurity when they must make tough decisions on budget. it makes sense that a SMBs would expect that cyber criminals have bigger fish to fry in attacking large multinational corporations for more money. 

“In many of the most recent ransomware attacks, we have seen criminals demanding a small amount of money, suggesting that causing mass disruption to businesses is the goal,” Hogg pointed out. “Recent research has shown that SMBs often find themselves unable to absorb the costs associated with this disruption.” 

According to recent findings, 22 percent of SMBs that experienced a ransomware attack were forced to stop business operations immediately. Additionally, one ransomware attack can cause 25 hours or more in downtime for SMBs, which is a lot of lost revenue and damage to customer relationships and other third parties that depend on them, according to Hogg. This downtime can also cost SMBs as much as $8,500 per hour – in some cases, SMBs may even find that they are sued for third party losses caused by the attack, adding further to the financial impact. 

He said, “Unlike larger organizations, with more financial reserves, many of these businesses don’t have any leeway in their finances to make up for that loss in downtime. For some of them, that means they can never recover from the ransomware attack.” 

So, what should SMBs be doing to protect themselves and their bottom line? 

“Given the deep impact that ransomware attacks can have on businesses in terms of their ability to operate, SMBs need to be evaluating their technical vulnerabilities, but also looking at the effect these vulnerabilities could have on the business from a financial perspective,” explained Hogg. “In this sense, they should be taking a truly holistic approach to protecting themselves against ransomware. This means taking proactive action ahead of an attack.” 

A few questions SMBs should ask themselves include: When was the last time you reviewed your company’s disaster recovery and business continuity plans? Can you identify where all your mission critical data resides and whether regular backups are being made? Have you tested restoring data from the backup? Is the speed of data recovery acceptable? Do you have adequate network segmentation to contain the ransomware attack to a certain segment? Does your cyber insurance policy provide adequate coverage? 

“Thoughtful, proactive planning to protect from the business from the impact of possible future attacks is how companies really begin to secure themselves,” he said. “However, SMBs often do not have significant budgets for extensive cybersecurity programs.” 

Despite this, according to Hogg, there are fundamental proactive prevention efforts and best practices that SMBs can implement to ensure they have robust technical prevention controls in place and increase their level of resilience. First, conduct full awareness training for employees around the ransomware, including creating and testing a solid business continuity and recovery plan that teams can activate in the event of a ransomware attack. Next, creating backups is key, but more important is the granularity of the backup solution. Using a system that allows the creation of snapshots in time or maintaining multiple versions of documents as they are created over the course of the day can allow a company to restore to a specific point in time prior to the backup with minimal loss of productivity. 

Third, smaller businesses may not be able to perform regular snapshots of their systems but should at a minimum consider setting up daily backups or a differential backup that is disconnected from the network. This will help prevent accidental corruption or encryption of important files in the event of a ransomware incident. And Lastly, whenever an attacker has intruded upon a company’s system, whether that’s through a default password on a smart device or a vulnerability in their perimeter caused by delaying an update, adaptation to prevent an attack from happening again is essential. An organization could be negligent if they haven’t plugged up certain holes that they were aware of.