Supply chain SMBs urged to address vulnerabilities as ransomware attacks soar

This article first appeared in Food Logistics.

Seattle-Tacoma International Airport. JAS Worldwide. Port of Seattle. They’re just the latest in a long list of ransomware victims—and they won’t be the last. A scourge since the malware first arrived via floppy disk in 1989, AI tools, sophisticated social engineering, and Ransomware-as-a-Service have escalated the scope and scale of the attacks, demanding the supply chain industry’s attention. Yet, this existential threat remains squarely in a blind spot for too many SMBs.

Cyberattacks on large corporations and government agencies make news, and that, in part, is creating a false sense of security.

Absent coverage of attacks on similarly-sized organizations, it’s easy to understand why business leaders mistakenly believe they’re too small to be worth a hacker’s time. What they may not realize is that it costs hackers almost nothing to run automated crawlers and identify vulnerable internet and IP addresses, and that the cost of entry is nothing compared to the wins. Now, as large companies harden their environments, it’s the smaller organizations that will be increasingly targeted. Worse, as more of these companies acquiesce to ransom demands, hacker farms will expand their staff.

To be clear: The threat is far more widespread than many realize. Ransomware shattered records in 2023, and reports document more than $1 billion in disclosed ransom payments. The impact is certainly far worse, of course. Like the double brokering schemes that plague the freight industry, most victims don’t report the crime.

Ransomware is expected to break records again this year, and SMBs would be wise to heed these words of caution: Evaluate your vulnerabilities and address them—now.

It took JAS Worldwide, an organization with 7,000 employees and a presence in 100 countries, a full eight days to restore its essential systems; an extended period of downtime that would shutter many small businesses.

Unfortunately, too many decision-makers outside of IT don’t take ransomware seriously enough—until it’s too late.

The obscene ransom demand is only the beginning

The damage inflicted by a single ransomware attack goes far beyond the acute business impacts, ranging from ransom demands and data loss to blunted revenue and hefty regulatory fines.

Once a hacker has successfully executed an attack on your business, its name can be added to lists that circulate around the Dark Web, indicating that you’re vulnerable. It’s why businesses will report additional attacks after the first instance; other hackers want to get in on the easy action.

For years, IT professionals have raised the alarm on other, downstream business impacts. In 2020, enterprise data protection provider, Arcserve, delivered concrete support. In a survey of 2,000 consumers, their report found that 39 percent of respondents chose not to do business with a company because of their data security concerns and 28 percent said they’d take their business elsewhere if they encountered even a single service issue. That’s not all: 84% shared their ransomware-related experience with others, tarnishing brand reputations.

Scared? You should be.

It’s time to address the cracks in your protective wall

Some organizations purchase cyber insurance, believing they won’t have to do anything else. They’re flat-out wrong. Recovering a claim doesn’t address the impacts to your brand, and it doesn’t immediately restore trust with your consumers. In short, leveraging cyber insurance should be your last resort. Besides, if you don’t have the right cyber security posture, you’re going to pay more for it—if you can even get it at all.

It’s time to rethink how you approach ransomware protection.

Like any other criminal, hackers and their bots are looking for the path of least resistance. Consider thieves walking through a dark parking lot for a moment. They’re looking for open vehicles, and the simple act of locking your doors will encourage them to move on to the next, easier car to empty.

The question then becomes: Is your door “unlocked”?

Spotting the vulnerabilities that beckon hackers

Whether you’ve outsourced your data protection and security to a managed service provider or you have an in-house IT department, it’s critical that you ask some revealing questions to determine if you’re adequately protected.

• How regularly do we update our systems and applications and implement security patches? Regularly maintaining your systems and applications is IT 101, but it’s not uncommon for this work to slide when under-resourced teams face other pressures from the C-Suite.
• Do we practice the principle of least privilege? Every access point represents a potential vulnerability. Only people who require a particular system or application to do their jobs should have access—and that access should be reviewed regularly.
• Have we implemented robust ransomware protection solutions? Data security solutions aren’t enough on their own. They offer a critical layer of protection but they can’t prevent every attack. What’s more, paying the ransom is no guarantee that you’ll get your data back. With data backup and recovery solutions in place, you may be able to roll back your systems and tell the attacker to take a flying leap.
• Have we thoroughly documented our IT infrastructure—and established RTOs and RPOs? That’s Recovery Time Objectives and Recovery Point Objectives, for the uninitiated. You should have a thorough understanding of your entire hardware, software, and business application inventory, and know how long any of these systems can be down and how much data can be lost without critically damaging the business, so you can prioritize your disaster recovery.
• Have we implemented a 3-2-1-1 backup strategy? Protecting your business sustainability means keeping three copies of your data at all times, one original and two copies; storing your backups on two different media; storing one copy offsite, perhaps in the cloud; and ensuring one copy of your data is immutable, meaning it can’t be altered or deleted by hackers. This strategy can go a long way toward mitigating the damaging impacts of ransomware.
• Is our staff adequately trained on data security? Your team is your first line of defense. They should be able to spot phishing attacks and, if they suspect ransomware, know to immediately disconnect their computer from the network and notify IT.
• Do we have a cross-department ransomware crisis plan in place—and have we practiced it? A thorough crisis plan, created in collaboration with IT, finance, communications, legal, and HR leadership, can accelerate your recovery and minimize associated damage. It should detail your step-by-step technical recovery, as well as a plan for keeping your internal and external audiences informed.

Tackle your ransomware vulnerabilities before hackers come calling

In IT circles, it’s well understood that internal IT departments are often under-resourced and understaffed—and managed service providers struggle to get clients to adequately invest. It’s not hard to understand why. What we’re talking about here is akin to insurance; it’s not sexy, and it may not deliver immediate impacts to your bottom line. As organizations scramble to carve out a competitive advantage, it’s shiny new toys, like blockchain and AI, that draw investment.

We urge you to keep business continuity at the forefront of your decision-making, however.

Data security and protection are critical in the face of the rising ransomware threat. Think of the resources you invest, not in terms of the line-item cost, but rather in the value of not falling to an attack.