For Indian small businesses, delayed payments and debt are not the only issues, the country’s micro, small and medium enterprises (MSME) and startups are fighting another epidemic of ransomware attacks. In the face of increasing digital attacks, no business is too small to be targeted by cybercriminals.
A 2022 study by the cybersecurity company, NordLocker revealed that India is among the top countries hit by ransomware attacks with more than half targeted at the nation’s small businesses. Notably, the report stated that MSMEs with an employee base of 500 are at the highest risk, consisting of about 54 per cent of total attacks from January 2020 to July 2022.
Akamai Technologies, a cloud company in a report has stated that the use of zero-day and one-day vulnerabilities has led to a 204 per cent increase in total ransomware victims between Q1FY2022 and Q1FY2023 in Asia-Pacific and Japan (APJ).
The report also found that ransomware groups increasingly target the exfiltration of files and the unauthorised extraction or transfer of sensitive information, which has become the primary source of extortion. This new tactic indicates file backup solutions are no longer a sufficient strategy to protect against ransomware.
The spike in ransomware attacks is due to adversaries shifting the emphasis of their modus operandi from phishing to vulnerability abuse in order to exploit unknown security threats and infiltrate business internal networks to deploy ransomware.
The report also found that the majority of ransomware victims in APJ are small-to-medium-sized enterprises (SMEs) with a reported revenue of up to USD 50 million. Ransomware groups are increasingly targeting the exfiltration of files, which has become the primary source of extortion. This new tactic indicates file backup solutions are no longer a sufficient strategy to protect against ransomware.
Victims of multiple ransomware attacks were more than six times more likely to experience the second attack within three months of the first attack.
Sunil Sharma, Vice President, Sales India and SAARC, Sophos said, “The misconception that SMEs are too small to fall victim to cyberattacks has been disproven. Recently, start-ups too have been in the news for security breaches, with one company losing 35 million records and another losing over 20 million records. Today, cybercriminals view businesses irrespective of their size as potential targets. While investing in cybersecurity might seem like an additional expense for SMEs, not doing so could result in much larger financial losses owing to an attack.”
Moreover, cyberattacks often catch small businesses off guard, just as they do with larger enterprises. These attacks often occur over weekends or during off-hours when IT teams may not be as vigilant. Hence, it is advisable to implement continuous threat hunting and proactive security measures to effectively counter these unexpected attacks.
“I think threat actors go after small businesses as they and rightly so, prioritise growing their operations over making investments into security. To optimise their returns, they often overlook security. Moreover, small businesses are also likely to pay ransom early as they cannot sustain stalling their operations for a long period of time. Threat actors are quick to take advantage of these vulnerabilities and exploit them,” said Neelesh Kripalani, Chief Technology Officer (CTO), Clover Infotech.
Attacks, extortion and burden
As per CyberPeace Foundation, about 43 per cent of all cyberattacks target small businesses and startups in India. With expedited digitalisation, startups and SMEs are becoming more prone to cyberattacks due to their minimal security infrastructure. According to research by cybersecurity firm Trellix, Indian SMEs faced an average of 37 cybersecurity incidents per day, amounting to a loss of nearly 7 per cent in revenue over the last 12 months.
For businesses with limited cybersecurity budgets, it’s crucial to understand that while monetary constraints exist, the financial implications of cyberattacks cannot be overlooked. It is important to recognise that allocating resources to cybersecurity is an investment in long-term protection.
“Last year, our survey on the Future of Cybersecurity in Asia Pacific and Japan found that a mere 11 per cent of technology budgets across India are dedicated to cybersecurity. As threats evolve and increase, simultaneously so should budget allocation towards security. In doing so, it can significantly enhance a small business’ resilience against cyber risks,” added Sophos’ Sharma, Vice President.
Don’t have enough money
Experts told BW Businessworld that prioritising and investing in cybersecurity during the early stages of operations is crucial for SMEs for several reasons. However, SMEs often lack the robust security infrastructure that larger businesses have, making them more vulnerable to cyberattacks. Investing in cybersecurity from the start is more cost-effective than dealing with the aftermath of a breach, which can include financial losses, reputational damage, and legal consequences.
“Further, as SMEs grow and collect more data, they become attractive targets for cybercriminals seeking valuable information. Hence, by not treating security as an afterthought and establishing stringent cybersecurity practices right from the beginning, SMEs can build a solid foundation to safeguard themselves from cyberattacks,” added Clover Infotech’s Kripalani.
Small businesses tend to have limited resources for robust security, and since start-ups and SMEs are highly data-driven, attackers look at them as prime targets. This is why ransomware attacks have become so prevalent because even if they don’t get a payout, they gain valuable data. Data that can’t be recreated or retrieved without robust security. This can destroy not only their business but even their reputation.
According to our State of Ransomware 2023 report, 44 per cent of Indian companies hit by ransomware attacks paid the ransom. An average bill of USD 1.03 million was faced by Indian companies after being hit by a ransomware attack, without any guarantee that their data would be returned.
“A few ways in which businesses can keep their data safe include keeping software up-to-date, having strong firewall systems, training employees to be alert to phishing attempts, regularly backing up data securely, and implementing zero-trust systems and active threat detection,” Sharma added.
Consequences
“Indian SMEs are driving the India growth story and therefore find themselves as an attractive target for ransomware attackers from across the globe. A ransomware attack on an SME can lead to an outage of services, delay in deliveries and even loss of revenue and reputation in our highly competitive market. Therefore, it is absolutely imperative that organisations prepare to ward off such attacks and have a recovery strategy in place before they are attacked.
“Lack of resources and preparedness leads to a loss of reputation and has a direct impact. Therefore, SMEs have to respond by having the right tools and technologies to keep the attackers at bay and more so, be prepared to recover from such an attack. Organisations can leverage simple strategies like the two-two-one rule– at least three copies of data, in two different media and at least one of them offsite– paving the way for a quick recovery. There are solutions which help is prevention and early detection of attacks– with the evolving nature of the attacks, it is always recommended that a formidable recovery strategy should be in place,” asserted Shuja Mirza, Director, Solutions Engineering, NetApp India.
Kripalani explained that cyberattacks have varied intentions, majorly it is financial gain through monetary theft, data theft, or business disruption. Small businesses are frequently targeted due to their perceived vulnerability resulting from limited resources, inadequate awareness, and weaker security measures. Attackers use these factors to access valuable data, exploit vulnerabilities, and take advantage of weaknesses.
Also, the impact of such attacks, especially on small businesses, is not limited to financial loss. It can lead to reputation damage, loss of business, and operational disruption, and can threaten the very survival of the business. Mitigation involves acknowledging these threats, prioritising cybersecurity, and adopting measures to counteract potential attacks effectively.
The lack of resources, legacy technologies, the evolving nature of end-point devices, and the unavailability of skilled manpower make smaller businesses more susceptible to cybersecurity threats. Moreover, this coupled with the hybrid work culture has given cybercriminals an increased number of avenues to launch their attacks. This has made the SME segment a soft target for most cyber criminals given their lack of preparedness to address the rising cybersecurity challenges.
