New research from
Infrascale,
a cloud-based data protection company providing industry-leading backup and
disaster recovery solutions, reports that ransomware attacks are not at all
unusual in the small and medium business (SMB) community, as 46% of these
businesses have been victims. And 73% of those SMBs that have been the targets
of ransomware attacks actually have paid a ransom.
Yet, more than a quarter
of the total SMB survey group said they lack a plan to mitigate a ransomware
attack. And nearly a fifth of the total group said they feel their organization
is unprepared for a ransomware attack.
The Infrascale research
is based on a survey of more than 500 C-level executives. CEOs represented 87%
of the group. Almost all of the remainder was split between CIOs and CTOs.
"Ransomware is not a new
phenomenon," said Russell P. Reeder, CEO of Infrascale. "However, it is
surprising how many businesses are unprepared for a ransomware attack. It is
shocking that during a time in which the world should be coming together in the
fight against COVID-19, criminals are preying on unsuspecting people and
organizations for personal - usually financial - gain. And, in many cases,
these bad actors are actually benefiting. With appropriate strategies using
preventative measures like internet security and education, and protection
measures like data backup and disaster recovery, you should never have to worry
about paying ransomware."
B2B Organizations Were
More Likely Be Ransomware Targets Than B2Cs
Business-to-business
(B2B) organizations were more likely to have experienced a ransomware attack
than business-to-consumer (B2C) entities, according to the Infrascale survey
results. Representatives from more than half (55%) of the B2Bs said they had
been hit by ransomware.
But B2C organizations
clearly are not immune to the ransomware risk. The research showed that more
than a third (36%) of this group said they have been victims of ransomware
attacks.
Adequate Time and
Resources Often Stand in the Way of Ransomware Prevention Efforts
The majority of SMBs
(83%) said they do feel prepared for a ransomware attack, with 10% more B2Bs
(87%) expressing that sentiment than the B2C group (77%). However, 17% of the
SMBs participating in the survey said they do not feel that their business is
prepared for a ransomware attack.
Those SMBs that said
they feel unprepared to contend with ransomware attackers indicated that time
and resources are their next biggest enemies in this battle.
Almost a third (32%) of
the SMBs said they simply have limited time to research ransomware mitigation
solutions. The same share said their IT teams are so stretched that they feel
their organizations don't have the adequate resources to address the ransomware
threat.
"There's no question
that the time and talent of IT professionals are at a premium today," said
Reeder. "But there are many solutions, with varying levels of protection,
available to help businesses address ransomware. Many qualified third parties
can do much of the heavy lifting in terms of implementation and setup. That
makes it easier than ever for businesses to protect themselves from ransomware
and avoid rewarding criminals by paying out costly ransoms."
Ransoms Commonly Run in
the Tens of Thousands of Dollars - With No Guarantees
A lack of ransomware
protections is likely to cost these SMBs later. And, in some cases, SMBs may
already have experienced the hassles and financial losses that ransomware
creates.
The Infrascale research
shows that 78% of SMBs in the B2B category already have paid a ransom in a
ransomware attack. The majority of B2C SMBs (63%) said they have done the same.
More than a quarter
(26%) of the SMBs that said they have never paid a ransom said they would
consider doing so. Of that group, 60% said they would pay ransom to get their
files back quickly. And 53% said they would pay ransom to protect their
company's public image around data protection and recovery efforts.
SMBs that are open to
paying ransoms might want to start saving now, as this is not an inexpensive
proposition. Forty-three percent of SMBs said they have paid between $10,000 to
$50,000 to ransomware attackers. Thirteen percent said they were forced to pay
more than $100,000.
Paying a ransom does not
guarantee that an organization will recover any or all of its data. Seventeen
percent of the survey participants who said they paid ransoms to their
ransomware attackers indicated they recovered only some of their organization's
data.
Those That Are Still
Unprepared Should Take Steps Now Toward Prevention, Education
The good news is that
72% of the SMB survey group said their organization currently has a plan in
place to mitigate a ransomware attack. And the research suggests B2Bs (80%) are
better prepared on this front than B2C organizations (62%).
However, 28% of SMBs
said they do not have a plan to mitigate a ransomware attack. That puts these
organizations - and their customers and other stakeholders - at significant
risk. But these organizations can get started now to protect themselves from
costly ransomware attacks.
"The best protection, of
course, is prevention. And education is the key to its success," said Reeder.
"If something looks nefarious, it usually is. However, criminals are becoming
increasingly sophisticated at making their attacks look legitimate. And again,
at a time where people are in search of information and answers, the public's
fake-filters are at an all-time low.
"Next, of course, are
protection strategies," Reeder added. "Picking up on a potential attack in
advance is ideal to prevent it from happening. However, if an organization is
compromised, near-immediate remediation is top priority - and it shouldn't be
in the form of paying a ransom. With appropriate backup and disaster recovery
in place prior to a compromising event, an organization can quickly restore its
data or spin up its operations to restore service. And, with more investments
in sophisticated tools or features such as those in Infrascale's Cloud Backup
and Disaster Recovery, the point of compromise can also be pinpointed and often
prevented."