Small Business a Big Target for Ransomware


Have you noticed that most of the cybersecurity news you hear about is for successful cyberattacks on big companies, schools and hospitals, but did you know that the primary targets for cybercriminals are companies with less than 500 employees?

According to a recent study by Infrascale:

  1. 46% of all small businesses have been the targets of a ransomware attack.

  2. Of those companies that were hit with a ransomware attack, almost three-quarters (73%) paid a ransom.

  3. 43% of small businesses paid a ransom between $10,000 and $50,000 and 13% paid more than $100,000.

  4. The bad news is that of those who paid, only 17% recovered some of their company’s data.

  5. Looking more into the study, it showed that 55% of the successful attacks were on business-to-business (B2B) companies and only 36% were business-to-consumer (B2C) companies.

So let’s summarize here – if your company has fewer than 500 employees and you’re in a B2B business, there’s a 46% chance that ransomware is going to make its way into your company and that there’s a 73% chance that you’ll pay the ransom, which is likely going to cost you between $10,000 and $50,000 and even after you pay it, there’s only a 17% chance that you’ll actually get your data back.

According to another study by Symantec, 60% of companies that experience a data breach will go out of business within 12 months – this study’s findings could be a part of the reason why. High ransomware payout, low chance of getting your data back.

And by the way, these are conservative numbers. Most of the folks we work with to get back and running after a ransomware attack don’t take part of a study or make it public. I’m sure it’s much worse than this. So, if you don’t want to be a part of the 46% that gets ransomware and the 60% that go out of business afterwards, I recommend the following:

The Takeaway

Ask yourself, what does your business continuity plan (BCP) look like? A BCP is a written document that lays out some disaster scenarios, how those scenarios might affect your business, some strategies to recover from those incidents and a plan to do so.

For extra credit, I recommend an annual tabletop exercise where the IT department runs through some of those scenarios to discover what changes need to be made to make your company more resilient. Not sure where to start? The Department of Homeland Security (DHS) has posted a free guide and template here: https://www.ready.gov/business-continuity-plan. Every time we do one of these tabletop exercise together with the IT department there are always surprises.

If you can’t get to this today, be sure to put a BCP meeting onto your calendar for the near future. It’s important you plan your company’s survival from a cyberattack. Your employees, customers and community are depending on you to be resilient.

Stay safe out there.