While cyberattacks on Norsk Hydro, State Farm, and Capital One have caught the media and the public’s attention, the list of cyber victims extends far beyond large organizations. According to the 2018 Verizon Data Breach Investigations Report, 58% of all cyberattacks have targeted small businesses, and inside one cyber insurance powerhouse, the numbers are even more concerning.
“We have seen a 6x increase in ransomware attacks over the last four years and that’s mostly small business, and the costs of responding to those ransomware attacks are up almost tenfold over the last two years,” said Jeremy Barnett (pictured), SVP of marketing and business development in Tokio Marine HCC’s cyber and professional lines group. He cautioned that cybercrime activity is up across the board, but Tokio Marine focuses on small business and so sees a concentration of these risks.
Part of the reason for higher costs is that hackers today are making higher demands. There was a period of time where cyber criminals were testing the market to see how much they could ask for from companies, explained Barnett, which made ransoms between $10,000 and $30,000 commonplace since these sums wouldn’t hit the FBI radar and businesses would pay up because it wasn’t a huge demand.
“It was all about getting businesses used to seeing what ransomware is, realizing if they pay the ransom in Bitcoin, how to process that with a Bitcoin wallet, how to deliver a decryption key and unlock the system, and proving to industry that the criminals have some honor,” said Barnett. “If you pay your ransom, you will get the key, and you will get your business back. If anybody screwed that up, then it wouldn’t be a business for the criminals because people would complain that they’re taking our ransom money, but not giving us the decryption key, so we’re not going to pay the ransom anyway.”
However, once the business model was set in stone and businesses did pay the ransoms, cyber criminals started to ratchet up the game.
“All of a sudden in 2018, you’re hitting six-figure ransoms and seven-figure ransoms, and people are familiar with how to process it. There’s a whole industry built around purchasing Bitcoin, transferring Bitcoin, and getting the decryption keys, so you have a test market for a while and then costs just went through the roof,” added Barnett.
While the bigger ransom demands – think those between $250,000 and $500,000, according to the Insurance Industry Cybercrime Task Force – tend to be targeted at bigger businesses, smaller businesses are also not immune to hefty demands.
“It’s that conundrum where [hackers] recognize that there’s an insurance treasure trove that pays for ransom, so they’re asking for it,” said Barnett. “The small businesses are getting hit as well and, depending on the sophistication of that small business, they will or will not choose to pay the ransom, depending on the business impact.”
If being down and not being able to conduct business is too expensive for a small business day to day, they will pay the ransom just to get that income flow back. However, if the fallout from the cyberattack is less impactful and they can take their time to restore their systems from backup, then they can choose to not pay the ransom.
Considering that hackers are now going after far more than the healthcare sector, small businesses might be choosing the former path more often than not. For example, professional services, such as accountants, as well as retailers have become popular targets.
“If you’re accountants and you can’t get access to your client files, you don’t have anything to do in the morning,” said Barnett. “They see that it’s mission critical to go after those businesses to lock up their systems so that they’ll pay the ransom faster. I think generally the smaller organizations that don’t have the sophistication – either in the security, so they’re more likely to be vulnerable or they don’t have sophisticated resources to help them – just want to pay the ransom to get their system back.”