The Malwarebytes’ Q1 2019 Cybercrime Tactics and Techniques report contains some eye-watering statistics, including the fact Q4 2018 to Q1 2019 saw business ransomware detections increase by no less than 195% and, taken over the course of the year, the increase was over 500%.
Admittedly, these figures are skewed by the Troldesh ransomware attack in Q1, which largely escaped the UK news as it focused on the U.S., where its perception and impact could be reasonably compared to 2017’s WannaCry attack in the U.K. (and elsewhere).
For the most part, cybercrime is a form of economic crime and, like all economic actions, the decision as to whether or not to proceed is ultimately based on a cost/benefit analysis of the situation and it’s likely outcomes.
Attacks on consumers may be relatively straightforward, hence low cost, but they also tend to be low reward, so while consumers cannot afford to drop their guard (as this would make them too easy a target), they may take some comfort from the fact that malware attacks on them are currently on a downward.
Businesses, by contrast, handle more data than consumers and so the benefit of successfully attacking them is much greater. Big companies with big resources should be virtually impossible to attack (though recent history has shown that this is not necessarily the case), SMEs, by contrast, are far less likely to have the in-house expertise to protect themselves effectively and are therefore more likely to be vulnerable targets, offering an attractive balance of cost and benefit.
SMEs cannot afford to take the view that they are too small for cybercriminals to bother with them. It is crucial that they either develop in-house expertise or use a third-party partner to help them manage their security effectively (or a combination of both).
While this may initially look expensive, so are the penalties for GDPR breaches (which can include prison sentences) or the loss of customer trust as a result of such breaches. Dealing with the after-effects of a ransomware attack, too, is not cheap.
On the plus side, a piece of good news for resource-strapped SMEs is that effective IT security doesn’t necessarily have to be hugely expensive, it is often far more important to apply realistic, informed, joined-up thinking and to maintain an awareness of current threats and the trends in cybercrime so that security can be updated as appropriate. For businesses that are not large enough to have a whole IT team dedicated to digital security as well as ongoing IT issues, these services can be outsourced to specialists who are experts in managing risk and keeping systems working.
It’s also very much worth noting that human staff can often be either your greatest security asset or your greatest security weakness and so the resources spent on training them can most definitely be thought of as a solid investment in your company’s future.