Cyber-attacks now cost businesses over $1M on average, can sink small companies

As of 2017, a single cyber incident can put a small company out of business, according to new research by Ponemon Institute. The findings confirm Bitdefender’s predictions for 2017 that targeted attacks would increase due to poor security of corporate networks.

Ransomware tops the list of threats to small and medium-sized businesses (SMBs) in 2017, according to a survey by Ponemon Institute of 1,000 IT professionals in the US and the UK.

Some 51% of respondents reported a ransomware attack, either unsuccessful or successful, in the past year, with more than half of those experiencing more than one attack in the period. 79% said attackers used phishing/social engineering to deploy the ransomware.

The risk of a cyber-attack (not just ransomware) for SMBs has risen from 55% in 2016 to 61% in 2017, while the amount of stolen data nearly doubled to 9,350 records from 2016's average of 5,079.

"We were alarmed to find that small and mid-sized businesses are becoming a huge target for hackers," said Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute. "As both frequency and size of data breaches increases, SMBs must face the reality that a material adverse financial impact on their business is a real possibility. Attacks are becoming more costly with the average cost due to damage or theft of IT assets and infrastructure now exceeding $1,000,000. The average cost due to disruption to normal operations also increased to over $1,000,000 compared to the 2016 report. One cyber incident could very well put a small company out of business."

Internet of ‘not-so-smart things’

The same survey uncovered that 67% of respondents were very concerned about the impact of Internet of Things (IoT) devices in their office. 56% believe IoT and mobile devices are the most vulnerable endpoints in their organizations’ networks, Ponemon reports.

Bitdefender predicted last year that, as IoT proliferation increases, so will the security threats posed by their deployment and use.

"The major emerging threat for 2017 is the botnet made up of not-so-smart things," opined Catalin Cosoi, Chief Security Strategist, Bitdefender.

SMBs’ willingness to pay up keeps ransomware in business

Ponemon’s findings further confirm Bitdefender’s predictions that cyber-criminals will increasingly set their sights on small and medium-sized businesses to extort higher fees in 2017 and beyond (Ransomware targets SMBs due to weaker protection and greater willingness to pay up).

Ransomware is a potent form of malware that holds data “hostage.” Hackers make their way onto a system or network using phishing scams, social engineering, or software vulnerabilities, and encrypt the target’s data, demanding a ransom, usually in crypto-currency (Bitcoin, Monero, Ethereum, etc.), in exchange for decrypting the data. Attackers, however, don’t always send the decryption key to the victim even when ransom is paid.

Until a few years ago, ransomware targeted individuals, taking in modest gains for hackers. Starting with 2016, SMBs have become the ideal targets for ransomware, as many businesses failed to invest in security solutions despite handling sensitive business information (i.e. customer data, financial records, intellectual property, etc.).

Things not only did not improve in 2017, but the attack surface increased considerably to include numerous SMBs willing to cough up ransom money in exchange for the decryption keys to unlock their data.

New research by Bitdefender found that 45% of the SMBs that paid to regain access to their data in 2017 actually got their information back. Some 65% mitigated the attack by restoring from backup and 52% did so through security software/practices.

More worryingly, a quarter of those targeted couldn’t find a solution to address the attack and ended up losing their data.