Ransomware attacks are not limited to large companies or major infrastructures, leading to an increasing number of organisations being impacted globally.
According to cyber security company Deep Instinct, ransomware attacks increased globally by 435 percent in 2020.
“They do not care if you're small, medium or large, it's about monetisation at scale,” says Adam Evans, vice president of Cyber Operations and chief information security officer (CISO) for RBC.
“If you're going to operate a business in this digital landscape, you have to educate yourself on how to protect your services,” Evans says.
Protecting your business from cyber criminals begins with understanding what ransomware attacks are, what you can do to prepare and how you can recover if you are targeted.
What is ransomware?
Ransomware is malicious software that locks all the files on your computer, preventing you from accessing them unless you pay a fee to have them released back to you. Or, put another way, it's like someone moves into your house, changes the locks, and then tries to sell your own home back to you for a price.
Reported cases of ransomware have risen exponentially in recent years as criminals have grown bolder with each successful attack. Every time criminals get paid, they see more opportunities to make money. “They've almost been incentivised to focus on disruption because of the likelihood of payment,” Evans says.
Lindy Cameron, head of the UK's National Cyber Security Centre (NCSC) has stressed the importance of the country's cyber resilience to stop cyber attacks.
Speaking at the Royal United Services Institute (RUSI) Annual Security Lecture, Cameron urged both businesses and the public to take ransomware threats seriously.
Ransomware attacks are the key cyber threat facing the UK, says Lindy Cameron, NCSC
Travelex, a UK-based provider of foreign exchange services, reportedly paid $2.3 million (£1.65 million) in 2020 after cyber criminals infiltrated its network. It resulted in its systems going offline through a ransomware attack and the company subsequently fell into administration and had to be restructured with the loss of 1,300 jobs.
In April 2021, Colonial Pipeline Co. shut down 8,850km (5,499 miles) of its pipeline system in the U.S. for five days after being hit by a ransomware attack. Cyber criminals likely perceived an opportunity to cause mass disruption, which is another common motivator for these types of attacks. From a criminal's perspective, the more disruptive the attack, the larger the ransom will be, and the more likely it will be paid.
Typically, a criminal organisation will pay a ransomware provider to use their “ransomware-as-a-service” (RAAS) technology to lock down a target company's systems. In return, the RAAS vendor gets a percentage of the ransom that's paid for every successful attack. There's also usually a licensing fee that the criminal organisation paid to use the ransomware technology. The criminals that demand the ransom from the targeted business seek an amount that's high enough to make a large profit but still reasonable to the victim to ensure they pay.
Colonial Pipeline Co. eventually paid a $4.4 million ransom to restore service.
The velocity and frequency of ransomware attacks will likely increase as groups in undeveloped countries with limited employment opportunities recruit members into the cyber crime economy, Evans says.
Protecting your small business from ransomware attacks
Though the number of threats may increase, small businesses can take steps to help prevent attacks or to minimise their damage.
“You have to prioritise based on the risks that you see and figure out ‘What are my critical information assets that I need to protect,’” Evans says. Whether it's your intellectual property or your clients' data, you should understand what criminals may target and protect those important assets first, he explains.
You should then develop a plan for recovery if your systems are compromised. “Once you've got your plan, it's about practicing how you're going to respond because when it happens to you, deciding in a time of crisis is not the time to do it,” Evans says.
Businesses should also identify and close any security gaps by engaging companies that could help restore operations in the event of an attack. “You want to get your services back up and running but you still have to go through the whole investigative process and make sure your environment is still safe to operate,” Evans says.
On average, it takes 16 days for a business to recover services in a ransomware attack, says RBC Chief Information Security Officer Adam Evans
Retaining customers in the interim is vital.
“Everybody is getting educated to a point now where they understand that these things happen pretty regularly. It's about how you deal with it,” Evans says. “You can improve your relationship, or it can have a massive impact on your ability to do business and retain your customers.”
Evans points to a shipping company that lost its IT environment overnight. “The very first thing that was communicated was to ‘do what's right for the client and we will figure everything else out.’ And that gave them a very, very simple kind of mandate to follow in the recovery activity.”
Ransomware attacks may be spreading, and they certainly can be daunting, but they don't have to be devastating for small businesses. By being aware of a potential threat, and understanding how to prepare, business owners can speed up their recovery in the event of a ransomware attack.
RBC is committed to helping clients and their businesses stay secure and resilient. Through a dedicated cyber security website, you will find resources and best practices for how to protect your business.
To further support business clients, RBC has partnered with law enforcement agencies to identify the most common cyber security threats impacting small and medium businesses.
The Little Book of Big Scams also aims to increase awareness of cyber threats. Inside you'll find best practices and simple steps you can take to safeguard your business and employees.
Business owners can also download the Cyber Security Crisis Management Template for Small to Medium Businesses. It lays out the foundations for proper crisis management and the steps to recovery if a cyber attack were to occur.
This publication has been issued by Royal Bank of Canada on behalf of certain RBC ® companies that form part of the international network of RBC Wealth Management. You should carefully read any risk warnings or regulatory disclosures in this publication or in any other literature accompanying this publication or transmitted to you by Royal Bank of Canada, its affiliates or subsidiaries.
The information contained in this report has been compiled by Royal Bank of Canada and/or its affiliates from sources believed to be reliable, but no representation or warranty, express or implied is made to its accuracy, completeness or correctness. All opinions and estimates contained in this report are judgments as of the date of this report, are subject to change without notice and are provided in good faith but without legal responsibility. This report is not an offer to sell or a solicitation of an offer to buy any securities. Past performance is not a guide to future performance, future returns are not guaranteed, and a loss of original capital may occur. Every province in Canada, state in the U.S. and most countries throughout the world have their own laws regulating the types of securities and other investment products which may be offered to their residents, as well as the process for doing so. As a result, any securities discussed in this report may not be eligible for sale in some jurisdictions. This report is not, and under no circumstances should be construed as, a solicitation to act as a securities broker or dealer in any jurisdiction by any person or company that is not legally permitted to carry on the business of a securities broker or dealer in that jurisdiction. Nothing in this report constitutes legal, accounting or tax advice or individually tailored investment advice.
This material is prepared for general circulation to clients, including clients who are affiliates of Royal Bank of Canada, and does not have regard to the particular circumstances or needs of any specific person who may read it. The investments or services contained in this report may not be suitable for you and it is recommended that you consult an independent investment advisor if you are in doubt about the suitability of such investments or services. To the full extent permitted by law neither Royal Bank of Canada nor any of its affiliates, nor any other person, accepts any liability whatsoever for any direct or consequential loss arising from any use of this report or the information contained herein. No matter contained in this document may be reproduced or copied by any means without the prior consent of Royal Bank of Canada.
Clients of United Kingdom companies may be entitled to compensation from the UK Financial Services Compensation Scheme if any of these entities cannot meet its obligations. This depends on the type of business and the circumstances of the claim. Most types of investment business are covered for up to a total of £85,000. The Channel Island subsidiaries are not covered by the UK Financial Services Compensation Scheme; the offices of Royal Bank of Canada (Channel Islands) Limited in Guernsey and Jersey are covered by the respective compensation schemes in these jurisdictions for deposit taking business only.