A recent survey by the Ponemon Institute reveals that many small and midsize businesses pay ransomware demands—and then keep it a secret to avoid any negative publicity.The survey, sponsored by Carbonite, confirms widespread reports that SMBs are increasingly targeted by cybercriminals. It also shows that nearly half the victims do not report the attacks.
The most common reason companies do not report ransomware attacks, according to the survey, is to avoid having the information made public. The survey focused on 618 respondents whose organizational roles require them to help contain ransomware. About half of the survey respondents had suffered a ransomware attack, and about half of the victims paid the ransom. The average amount of the ransom requests was $2,500.
Businesses that wind up paying cybercriminals often don’t want the incident to reflect poorly on their company or employees, and they don’t want customers to worry their data might be exposed. Still, the battle against ransomware can be made even tougher when attacks aren’t reported. That’s because a key consideration for business decision makers in evaluating the risk of infection is the number of ransomware attacks year over year. The number reported by the FBI represents exclusively reported attacks. What’s missing is the number of unreported attacks – as well as the number of undetected attacks.
Those who were able to avoid paying ransom often relied on backup technology. Forty-two percent said they did not pay the ransom because they had a “full backup.” A whopping 81% percent of respondents rated a “full and accurate backup” as important (21%), very important (38%), or essential (30%) to protecting organizations against ransomware.
Others refused to pay ransom because they believed cybercriminals would not unlock their data once the ransom had been paid. According to Kaspersky, it makes sense to doubt cybercriminals will cooperate:
“There are many cases where the cybercriminals do not actually have access to the key that decrypts the data. Ransomware is now readily available on the black market, so many take leaked sources of ransomware, modify the payment information and launch it through their own distribution channels. They never had the key in the first place.”
According to Gartner, business decision makers who fail to implement a ransomware strategy do so at their own peril:
“The tendency of most organizations to react to incidents rather than plan for them leads to considerable IT staff hours lost to response, damaged CISO reputation, weakened security team rapport with internal and external stakeholders, and negative public relations.”
Many survey participants said their employers believe they’re too small to be targeted. But the people responsible for containing ransomware at SMBs have a very different opinion; 59% of respondents who experienced an attack believe cybercriminals specifically targeted their companies and employees. In addition, 67% reported that ransomware poses a greater threat than any other type of malware.
Extra vigilance, planning needed
The explosive and sustained growth of ransomware infections at businesses of all sizes is a significant consideration for decision makers responsible for risk mitigation. Businesses without adequate defenses have little choice but to pay cybercriminals for access to their critical business data. Small businesses need to stay vigilant, and prepare to defend against malware—no matter the size of their company.
Norman Guadagno is Carbonite's Chief Evangelist and Senior Vice President of Marketing.
For even more helpful information, download your free ransomware preparedness guide today: