New ransomware rules for businesses: Are you prepared for an attack?

What is ransomware?

Ransomware is a type of malware used to extort businesses and individuals. It locks you out of your own files and demands a ransom, usually in cryptocurrency, to get them back.

From today, businesses are legally required to report ransomware payments.

If someone extorts payment from you by locking up your data, you now have 72 hours to tell the Government – or potentially face disciplinary action.

The rule change will apply to businesses with an annual turnover of $3 million or more; you’ll also be obligated to pay if you’re responsible for a “critical infrastructure asset” (under Part 2B of the 2018 SOCI Act). Non-monetary payments (e.g. services, gifts, or information) will also need to be reported.

Note that this change doesn’t mean you have to report every ransomware attack – just instances where a payment was made. You might still need to report under existing obligations, but small businesses are generally exempt from these.

Small businesses still need to take action

Though the new rules target larger businesses – who are more likely to pay extortioners – that doesn’t mean that small businesses don’t get attacked.

“Small business gets targeted all the time,” said IT consultant and Tech Seek founder Fil Strati.

Strati, who works with small businesses, once had a small dental clinic on his books who lost their files to a ransomware attack. All the files were infected except for the database files for their practice software. The clinic didn’t pay the ransom, and the files weren’t critical, but it was still a memorable lesson.

“[The malware] wasn’t looking for those particular files,” Strati explained. “They were lucky.”

Meanwhile, larger firms have been picking up a shift in targets when it comes to ransomware attacks.

“Our Incident Response team has noticed a shift away from ‘big game hunting’, or ransomware attacks targeting the big end of town, and towards SMEs who are generally less prepared,” said Mark Thomas, Director of Security Services ANZ at Arctic Wolf.

What you need to know

Never pay a ransom. If you do pay up, said Strati, there’s no guarantee you get your data back. And paying can tell a cybercriminal that you’re cashed up, making you vulnerable to retargeting.

Instead, small businesses should have a secure backup system in place, Strati advised.

“A lot of small-business owners will plug in an external hard drive and use that as their backup,” he explained. “But if that drive is connected, when you get infected, it will jump across to that drive as well.”

Beware of using cloud storage – that can also be infected by malware, Strati added.

As for how often you need to backup, that depends on how much data you can afford to lose. If you could lose a month’s worth of data, for instance, then maybe you only need to back up once a month.

If you are targeted – or if you have been targeted before – don’t feel bad. It can be easy to fall for a scam when you’re stressed or busy with running a business.

“It’s designed to catch you when you’re too busy,” said Strati. “We’re so busy doing what we’re doing.”

What can you do to protect yourself?

ISB asked Strati what a small-business owner can reasonably do to protect their business from a ransomware attack. Here are some steps you can take:

  • Train your staff to recognise cyber threats.
  • Use multi-factor authentication.
  • Backup as frequently as you can afford to lose data.
  • Physically separate your backups from your computer.
  • Consider endpoint protection and response (EDR) software: In the event of an attack, this can help you figure out what data has been breached. Strati encourages businesses who handle sensitive data to consider this option.
  • If you’re particularly concerned, consider paying your antivirus service provider for round-the-clock monitoring via a security operation centre, if your provider offers this.
  • Never pay a ransom – this could just invite further extortion attempts later.
  • Know who to call in the event of an attack – i.e. who owns your domain? Do you have a tech provider for your website?
  • Make an emergency plan with contact details and clear steps in case an attack happens to you, so you can attack as quickly and calmly as possible.