A 3-Point Ransomware Defense Strategy for Small to Midsize Businesses

Published on 27th May 2021 Author: Rob Black

Oops, all your organization’s data is encrypted! Could you manage to make a multi-million dollar ransom payment to restore operations? Probably not if you’re a small or midsize business – a small business ransomware attack can be the end of the line. It’s better to have a ransomware defense plan to avoid the situation altogether.

You don’t need to be a cybersecurity expert to create or implement a ransomware defense strategy. We’ll give you a three-point strategy here. You should take a three pronged approach: Training, Technical Controls, Incident Response Preparation.

Ransomware Defense Point 1: Employee Training

Phishing and other, similar social engineering attacks are the number one attacks that successfully compromise a company’s security. If a bad guy gets an employee to click a malicious link or download a dangerous file from an email that actually looks legitimate, they’re in.

With that in mind, employee training is an absolutely crucial element of all cybersecurity plans – including ransomware defense.

Even if you have a midsize or small business, you need to put cybersecurity training in place for all of your employees who answer a company phone or have an email address.

We usually recommend KnowBe4 but there are plenty of packages available. For a sub 100 person company, the license cost is usually a couple of thousand dollars per year – it’s the best bang-for-your-buck cybersecurity investment there is.

There are free cybersecurity training programs out there, but the relative low cost of much higher quality paid training means “free” usually isn’t worth it.

Ransomware Defense Point 2: Technology

Email Security helps prevent Ransomware

Email is the primary attack surface for all cyber attacks, so your company should spend a lot of time configuring your email system to prevent malicious emails from ever getting through. After all – it’s a lot harder for employees to click on links in emails they never receive!

Chances are you either have Google Workspace (formerly GSuite) or Microsoft 365 providing your email and office suite. Regardless of the vendor you use, you should review and configure your DMARC, DKIM, and SPF records.

Thankfully, there are some tools that make a quick check easy, even if you don’t know what those are. MXtoolbox Email Health can give you a free view if you have a big problem. Another great free (to start) tool is EmailSpoofTest where you can actually test to see if bad emails can get into your inbox. We also have a detailed guide on how to use EmailSpoofTest and make some (not all) edits to your DMARC, DKIM, and SPF records.

While some of it is doable on your own, you should really have an email security specialist get everything configured properly. It should only take a few hours of contract/consulting work with one to be set for years to come.

Once configured, Google Workspace has sufficient anti-spam tools to keep the vast majority of malicious emails out of your company’s inboxes. Microsoft 365 needs more help, especially if you are on the basic E3 licenses because Microsoft makes security tools a premium feature.

Simply put: Microsoft 365 E3 license users absolutely need another security tool to adequately protect themselves. Again, there are a lot of options out there, but we like GreatHorn the most.

The Advanced Microsoft licenses: Defender for Email, E5 licenses / Advanced Threat Protection (ATP) are okay but from a cost-to-value perspective they are mediocre. Again, other email security tools will likely create higher value.

Antivirus and Monitoring Tools

Make sure you have a good antivirus endpoint protection on all company computers. In the event that a malicious email is clicked, the antivirus software is a last-line ransomware defense to stop encryption from happening.

Similarly, monitoring tools can help alert you to malicious activity before it’s too late.

Backup Everything Regularly

The last important technological control for ransomware defense is system backups. Backup everything regularly and test your restore process. You can avoid paying the ransom if you can restore your files on your own!

Ideally, the restore process is something that’s been practiced so the team can perform it more efficiently in a real scenario. You also need to know how long (hours, days, weeks?) it would take to restore everything.

Ransomware Defense Point 3: Incident Response Plans

In the event that a small business ransomware attack does happen to your company, you can reduce its impact by having an incident response plan in place.

So, you need to have a formal incident response plan with a section on how to respond to a ransomware attack. The plan should have the team defined, how you make decisions, etc. It should include contact information, who your technical response remediators are, your backup and restore practices, what attorney you are going to use and your cyber insurance information. You should also run table top exercises at least once a year to validate your plan and make corrections.

It’s also worth considering whether or not you would pay a ransom. How much would have to be encrypted or how long would it have to take to restore for it to be worth it? What price could you pay, and how much would be too high?

Three Points to Avoid Midsize and Small Business Ransomware Attacks

Step 1: Get cybersecurity awareness training for your employees.

Step 2: Setup your technical controls – email security, antivirus, and system backups.

Step 3: Create an incident response plan and practice it.

Think that this is a lot of work? It is.

The alternative might be that your oil pipeline is shut down for a week with infinite brand damage and millions of dollars in cost! And if you can’t afford a multi-million dollar ransom, a midsize or small business ransomware attack might be the end of your organization altogether.

It takes time, but any size business can use this three-point approach as a blueprint for your own ransomware defense strategy.

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).