Ransomware: Are startups overlooking their own vulnerability?
At least $456.8 million was extorted from the victims of ransomware attacks in 2022.
For many, this won’t be a surprising number. Severe ransomware attacks are now a staple of the news cycle, with breaches at major enterprises like Royal Mail, NCR, and CommScope almost impossible to avoid.
The trend with these reported attacks is that large, mature companies are targeted for their ageing cybersecurity systems, large cash reserves, and inability to respond quickly. According to one analysis, the collective revenue of companies targeted by ransomware attacks between 2020 and 2022 was over $4 trillion.
In February, the White House reclassified ransomware attacks as a threat to national security due to increasing attacks against critical infrastructure. With hacker groups like LockBit now starting to successfully target Macs with ransomware, one thing is clear - this problem is only growing.
But as ransomware continues to rise as an issue in corporate boardrooms, are we overlooking the fact that startups are just as vulnerable, if not more vulnerable, than large businesses?
A growing target
Attacks on large companies dominate headlines, but the bulk of ransomware attacks actually affect small and medium-sized enterprises (SMEs). 26% of SMEs in the UK were targeted with ransomware in the last year, while almost 80% of reported cyber attacks on very small businesses were ransomware. In fact, the volume of attacks on large companies is falling, but is increasing for every other business profile.
If anything, the impact of these attacks on startups is under-reported.
Large companies may have been the target of some of the most high-profile attacks in recent years, but they also have the resources to steel themselves against future threats. Moreover, they now have the experience to deal with attacks if they happen again. Startups do not benefit from this, and attackers are taking notice.
Startups should be aware that the immediate vulnerabilities that lead to ransomware attacks are not exclusive to large enterprises. Some of them assess the risks responsibly, but most, naturally, concentrate efforts and resources in other directions. According to one report, 51% of small businesses do not have cybersecurity measures in place, with 59% of these claiming they are “too small” to be targeted.
To understand these cybersecurity threats we must address a key point. Whether an attack is targeted (meaning that a hacker identifies and exploits a vulnerability in a specific network system, usually an insecure remote desktop protocol connection), or the result of an opportunistic phishing campaign, the ultimate attack vector is always the same - the endpoint.
For example, 40% of ransomware incidents occurred due to desktop sharing software, and 35% stemmed from email usage. These are everyday tools used by businesses of all sizes, not just large enterprises, and involve insecure endpoints. The rise of remote working, which 70% of startups now offer, only increases the attack surface area.
Startup culture also breeds vulnerability to ransomware attacks. By their nature, startups are set up to grow rapidly. Their great asset over bigger enterprises is a high degree of business agility and adaptability as well as a modern tech stack. But while this helps them thrive and innovate, it cannot come at the cost of security.
A passive approach to cybersecurity threats may raise an existential risk for startups, but it's also not fair towards consumers who trust them with their data, hoping that it will be sufficiently protected.
How can startups mitigate against these ransomware risks while retaining the small, nimble structure that makes them so unique?
Investing in cybersecurity expertise is always recommended. Hiring and empowering an executive-level cybersecurity expert not only protects your business and data and instils a company-wide secure-by-design mindset, it can also help a company to stand out from competitors. Beyond this, there are certain cybersecurity principles that startups need to adopt to defend themselves against ransomware.
With endpoint attacks the source of ransomware, adopting zero-trust principles should be non-negotiable for startups. The core principle of Zero Trust Network Access (ZTNA) is that no user or device is trusted and granted access to secure data and assets by default. This is a secure, precise, and sophisticated solution for hybrid working.
Multi-Factor Authentication (MFA) is another key line of defense (as recent breaches have shown). By requiring an additional security layer before granting network access, even hackers that gain access to an endpoint (e.g. an employees’ PC) will hit a brick wall. Without access to the separate authenticator, it will be much harder to infiltrate the network.
But there is a limit to what startups can do by themselves. If this issue is to be addressed at scale, there needs to be greater public-private collaboration against ransomware. Europol’s ‘No More Ransom’ initiative, a partnership between European government agencies and IT security companies offering decryption tools targeting 165 ransomware variants, is an example of what can be achieved when industry leaders and law enforcement join forces.
The damage rendered by ransomware attacks is not limited to the companies they victimise - the cumulative economic and social impact is enormous. Repelling these attacks will require governments to collaborate with businesses and cybersecurity vendors to share resources, expertise, and data in a transparent manner.
Ransomware is not going away anytime soon, and it is only a matter of time before the impact of these attacks on the startup ecosystem is more widely known. Before this happens, industry and government have the opportunity to act in the best interest of small businesses by raising awareness of this threat, reducing ransomware complacency, and investing in preventative measures like MFA and ZTNA.