You cannot read the news today without finding another story of a company besieged by a malware infection: their files encrypted, and the company brought to its knees by cybercriminals.

We’ve recently seen a large pipeline company forced to shut down all operations and a U.S. government agency suspending operations for two to four months, leaving more than 550 former Hanford workers without access to benefits.

While we often read about large corporations affected by ransomware, small businesses aren’t immune from these cyberattacks.

The U.S. Department of Homeland Security Secretary Alejandro Mayorkas has warned that small to midsize businesses comprise 50% to 75% of ransomware attacks. In the past year, ransomware attacks are up over 300% costing businesses over $350 million in ransom payments alone.

Extorting companies is big business in 2021.

With the word ransomware thrown around so casually, we should probably agree on a definition of what it is. Ransomware is software that runs on a computer that gives someone leverage over a person or company through malicious means.

This typically means that a person or company’s information is made inaccessible by encrypting the information with a key that only the attacker has. Using this as leverage, the attacker extorts the person or company for money to give up the key to decrypt the information.

A more elaborate method of extortion is on the rise as well. Besides encrypting information on the computer, the ransomware also will package up and send the information to the cloud to be used to blackmail the company or customers by threatening to release sensitive information. Further, this information is often used for identity theft.

The information tends to become commoditized and sold amongst criminal groups, even if the ransom is paid.

It’s easy to think that because you’re a small business that this shouldn’t affect you. The reality is that this type of software is sent out blindly, widely and inexpensively, predominantly through email. The distribution of the ransomware is indiscriminate and blasted widely to email addresses that have been acquired through other hacks, open searches or other legitimate lists. Everyone is at risk because the cost to infect a system is low while the reward can be very high.

What can you do about this scourge of malware?

You should follow best practices as published by the U.S. Cybersecurity & Infrastructure Security Agency. Here are a few categories to implement when looking at your business’ cybersecurity posture: 

Training

Implement a comprehensive employee training program to include common methods of attack, including simulated phishing campaigns. Implementing programs that encourage good behavior rather than punishment for failures have shown to be far more successful because these programs depend on employees to report potential issues and not feel shamed for doing so.

Patching

Continuous security patching and auditing is necessary across all technology devices. Often forgotten are the edge devices, such as firewalls and routers used by many homes and businesses. These edge devices have become a common attack surface lately, especially with working from home becoming typical in our modern business environment.

Password hygiene

Passwords are still ubiquitous and a common method for attackers to take over accounts and networks. Check out haveibeenpwned.com to check if any of your accounts have been exposed. Taking simple steps can help: never reuse passwords, use longer and more complex passwords, and ideally use a password manager such as LastPass4 or 1Password. 

Multifactor authentication

Multifactor authentication or two-factor authentication combines your username and password with something like a 6-digit code texted to your phone or a physical device, like a Yubikey. This significantly increases the account security and research suggests this alone can prevent up to 99.9% of account attacks.

Endpoint protection

Your free antivirus software just isn’t enough.

Comprehensive endpoint protection methods must be implemented on any business device, especially those with access to sensitive business information. Reducing attack surface by removing administrator access for the daily user account, using robust antivirus and anti-malware protections, and implementing robust backup solutions are critical to both preventing and recovering from malware.

A business should consider leveraging trusted security-focused firms to help implement and manage risk-based cybersecurity programs and to audit existing programs to ensure compliance. Businesses also should engage their insurance firms to get more information about cyber insurance to transfer risk.

The only thing you shouldn’t do is nothing.

Ryan Maloney is the chief executive officer of Devinion LLC, a managed information technology and cybersecurity services company in Richland. He has more than 25 years of experience in network security and systems integration.