News that the U.S. government recovered more than $2 million from ransomware attackers whose victim, Colonial Pipeline, paid the ransom sparked conversations yet again about whether businesses should cough up the money cyberattackers demand.
Federal agencies’ stance on this question is increasingly becoming a resounding “no.” Paying the ransom merely rewards cyberattackers for their crimes, experts argue.
That’s easy to say, however, when you’re not a small business owner whose entirely livelihood may be on the line.
While large corporates that become victims of high-profile cyberattacks may dominate headlines, small and medium-sized businesses (SMBs) are also vulnerable to ransomware, business email compromise (BEC) and a flurry of other cyberattacks keeping professionals on their toes. And while cyber insurance may mitigate some of this threat, the product is growing more difficult to procure and may do little to deter bad actors from targeting a company in the first place.
In a recent discussion with PYMNTS, Chris Finan, who is chief operating officer (COO) of cybersecurity firm ActZero and former director of Cybersecurity Legislation and Policy at the National Security Council (NSC) for the Obama administration, offered insight into just how complex the small business cybersecurity landscape can be, and why it’s vital that firms combine proactive security measures with other tools like cyber insurance to achieve the best defense against a ballooning threat.
While the concept of preventing a cyberattack before it happens is logical, for smaller businesses, cyber threats can be monstrous.
“Attackers have such an overwhelming advantage right now,” said Finan. “It’s almost unfair to expect a small business to defend itself.”
Today’s general mindset often lands on the idea that if a business is going to be operating with some kind of a digital presence — pretty much every operation today — then it must accept that cyberattacks are a threat, and it should take responsibility for protecting itself.
But in reality, small businesses are strapped for funds and resources, and they can lack the time and expertise needed to comprehend what threats exist and how to protect against them.
For years, cybersecurity experts have warned: it’s not a matter of if you’ll be targeted — but when. Yet increasingly, businesses that do fall victim to an attack don’t just have to face the consequences of their decision over whether to pay the ransom, but they’re also having to face public judgment for falling victim in the first place.
“We don’t want to blame the victim because these ransomware attackers have the benefit of a tooling ecosystem and a services ecosystem that is incredibly rich in sophistication and technology, aiding them to make these ransomware attacks,” noted Finan.
Businesses may unwittingly secure cyber insurance in an effort to safeguard themselves, but preventing an attack before it occurs can often be the most effective measure.
To demonstrate this, Finan pointed to the business email compromise, or BED — an attack that has seen a dramatic climb in popularity and one that can often infiltrate companies’ B2B payment workflows to redirect supplier payments to an account of a bad actor. Yet as damaging as this attack can be, it’s also easily avoidable.
“Turning on multi-factor authentication — the text message, the code you have to type in — combats this 90 percent of the time,” he said.
Adoption of cybersecurity tools can also be effective at tackling BEC, ransomware and other cyberthreats. Through the use of artificial intelligence (AI), for instance, systems can identify anomalies in how supplier invoices are sent or I made payment requests.
ActZero recently took the efforts to combat cyber risks for SMBs a step further through a partnership with cyber insurance firm Zeguro, a tie-up that Finan described as one-part risk mitigation (cybersecurity technology) and one-part risk transfer (cyber insurance). The two go hand in hand, he said, with cybersecurity technology able to collect valuable data that can help an insurer better understand the risk profile of a client.
These solutions are also a logical marriage because, regardless of how well-prepared or safeguarded a company is, there is always a risk of an attack, and having tools and procedures in place to respond to such an attack is as essential as the tools needed to proactively mitigate a threat.
For small businesses interested in ActZero technology, Finan said there is about an equal mix between SMBs that are looking to get a head start on their security strategies and those that have already fallen victim to an attacker. Each case is unique, but in general, efforts to prevent an attack can also limit the damage if an attack is ultimately successful.
Having empathy for victims and understanding their unique needs to limit damage and prevent future events is a crucial strategy in combating the monolith that is the cyberattack threat.
“The more you can get out in front to mitigate risks proactively, the more you can maybe not always prevent these incidents but prevent them from having the big material impact,” said Finan. “It’s very easy to have empathy, particularly with small and midsized companies and to understand their pain because we see it all the time. Almost everybody is grappling with this right now.”