Why SMBs Need to Get Wise to the New Threat Landscape

By Rick Miller – September 19th

The cybersecurity landscape changes every day, with new actors, new threats, new schemes, and new ways to infiltrate websites, emails, devices, and almost anything that is connected to the internet. We’re constantly reading about the rise of spear phishing, DDoS attacks, global malware threats, ransomware, CEO fraud, and more.

Despite all of the attention that cybersecurity is receiving, there is still a widely held belief in the small- to medium-sized business (SMB) community that cyberattacks happen to someone else. I call this the “Ostrich Effect”—read more about it in this blog: Cybersecurity and the Ostrich effect.

There is a popular theory that when an ostrich senses danger, it buries its head in the sand. In fact, this isn’t true, but it has spawned a few theories that psychiatrists call the “Ostrich Effect.” Apparently, this is something that is prevalent in humans; it is our natural instinct to avoid unpleasant or difficult news or situations. Unfortunately, hiding from a problem doesn’t make it go away. It just continues without you, delaying the inevitable.

This is the state of cybersecurity in the SMB market today. The threat exists. It’s real. It’s growing. It is not going away, and if we continue to bury our heads in the sand, it is going to get much worse.

Enter Ransomware as a Service (RaaS), the latest, scariest, and most easily proliferated cybercriminal product on the market today. RaaS is sold on the Dark Web as a kit. For as little as $40 to $400, anyone can buy it. It is designed so that almost anyone with or without technical expertise can launch a ransomware attack.

In fact, one of the most prolific of the RaaS kit creators is The Rainmakers Labs. According to Bill Brenner on Sophos^® News, The Rainmakers Labs run their business the same way a legitimate software company does to sell its products and services. While it sells RaaS on marketplaces hidden on the Dark Web, it hosts a production-quality “intro” video on YouTube^®, explaining the nuts and bolts of the kit and how to customize the ransomware with a range of feature options. A detailed “Help Guide,” walking customers through set-up is also available on a .com website.

RaaS is a direct threat to SMBs

SMBs should be aware of this threat. While RaaS has been around for a while, it has now reached mainstream marketing channels and may be used by anyone with the desire to commit cyberextortion.

By enabling individuals with little to no technical experience, RaaS opens the door for a whole new breed of cybercriminal. These “cybernewbies” understand that by using a RaaS kit, they can shut down almost any small business by locking their files and extorting payment through untraceable bitcoin currency, and at the same time run almost no risk of getting caught.

SMBs should be aware that RaaS has changed the threat landscape, and they are at more risk than ever before. Consider these statistics:

1. Cybercrime is expected to cost the world over $6 trillion USD by 2021. That’s only four years from now. Source: CSO Online
2. SMBs are under attack as cybercriminals understand SMBs have fewer resources and far less protection than larger entities. Source: SEC.gov
3. Half of all cyberattacks are against SMBs. Source: Keeper Security/Ponemon
4. Ostrich Effect statistics: 77% of SMBs say their companies are safe from cyberattacks, yet 83% of them have no formal cybersecurity plan. Source: Sklar Technology
5. 6 out of 10 SMBs do not have a contingency plan should they undergo a cyberattack. Most are not aware of the laws in their state regarding responding to and reporting a cyberbreach. Source: Advisen 
6.  66% of SMBs say they are not worried about a cyberattack. Source: Sklar Technology
7. Most SMBs do not have policies in place to provide procedures for employees in the case of an attack. Source: Sklar Technology
8. While most small businesses feel that they have adequate protection for themselves and their customers, Visa, Inc. reports that SMBs represent over 90% of payment data breaches.  Source: Visa
9. Most small businesses do not have any cybersecurity training in place for their employees, while 83% of breaches are caused by untrained employees being duped by phishing and spear phishing activities. Source: KnowBe4

Being Proactive is the Way to Defend Against Cyberattack

While the news on the cybersecurity front is daunting, SMBs with a proactive plan of protection are far less likely to suffer a breach. When considering a plan for protection, these four areas should be reviewed:

1.Risk Assessment—it is critical to know what data is at risk, where it is, and how to protect it.
2. Risk Remediation—have a process to remove/back up/encrypt data to bring to “clean state.”
3. Protection—utilize advanced technologies to secure a safe environment for your business and your customers.
4. Education—instigate employee cybersecurity awareness training.

A proactive approach to protection is the key to being safe for most businesses, whatever their size. It’s business 101. Remember, if you are connected, you must be protected!

Rick Miller is COO and Partner of The Tek, an MSSP specializing in risk assessment, risk mitigation, protection, and education to SMBs. Rick is a long-term veteran in the IT industry. His success has been founded in propelling start-ups and turnarounds to success and profitability. His experience has helped to grow multiple companies from start-up to profitability.