Ransomware Basics for SMEs — Why Small Companies Are Targeted and What to Do Today
An introduction to ransomware: common infection routes, why SMEs are targeted, a priority countermeasure map, and the initial response steps if infected.
What Is Ransomware?
Ransomware is a general term for malicious software that encrypts or otherwise disables a company's data and systems, then demands payment (a ransom) in exchange for restoring access. In recent years, many attacks reportedly go further, adding a 'double extortion' tactic: attackers steal data beforehand and threaten to publish it unless payment is made, in addition to encrypting files. This article looks at why SMEs are often exposed to ransomware and what can be done starting today.
Reported Trends — Warnings from Public Agencies
Japan's National Police Agency and IPA have continued to receive reports of and inquiries about ransomware incidents, and both regularly urge caution across organizations of every size. Missing backups and unpatched perimeter devices are frequently cited as factors that make damage worse once an attack occurs. Because the methodology behind published figures varies by source, this article avoids citing specific damage totals or incident counts and instead describes the general trend in official warnings. For detailed statistics and the latest developments, consult materials published directly by IPA or the National Police Agency.
Common Ransomware Infection Routes
One common entry point is an attachment or link in an email disguised as routine business correspondence. Emails posing as a business partner or public institution reportedly continue to trick recipients into opening attachments or entering credentials on a fake login page.
Another reported route is the exploitation of vulnerabilities in devices used to connect to the internal network from outside, such as VPN appliances or remote desktop services. Devices that have fallen behind on firmware updates are said to warrant particular attention.
A pattern that has drawn increasing attention is the supply-chain attack, in which attackers gain access through a business partner or subcontractor. Even when a company's own security measures are solid, damage can still occur through a partner's systems. How to Respond to a Business Partner's Security Checksheet covers how to handle security requirements from business partners.
Why SMEs Are Often Targeted
Compared with large enterprises, SMEs are less likely to have a dedicated security staff member, and investment in countermeasures tends to be limited. Many SMEs are also part of a larger enterprise's supply chain, which reportedly makes them attractive targets — both easier to breach and a potential stepping stone to a bigger target. For the full picture of IT risk facing SMEs, see The Complete Guide to IT Risk Management for SMEs.
Four Priority Countermeasures
Budget and staff time for countermeasures are always limited. A common approach is to treat backups, software updates, and multi-factor authentication as the foundation, since they tend to offer strong protection relative to their cost, and then layer on employee training, which requires ongoing effort rather than a one-time fix. The table below is a general guide to priority, and the right order can vary depending on your industry and the type of data you handle.
| Countermeasure | Purpose | Ease of Getting Started |
|---|---|---|
| Backups | Keep a path to recovery even if data is encrypted | Relatively easy to start |
| Software updates | Reduce the risk of known vulnerabilities being exploited | Relatively easy to start |
| Multi-factor authentication (MFA) | Prevent unauthorized logins even if credentials leak | Relatively easy to start |
| Employee training | Improve awareness of suspicious emails and behavior | Requires ongoing effort |
Getting Backups Right
Backups are an area where things often go wrong in practice — a backup that turns out not to be current, or one that gets encrypted along with the original data because it was reachable over the network. The so-called '3-2-1 rule' — keeping data on multiple types of media, with at least one copy stored offsite or offline — is a commonly referenced approach. Regular restore testing is also worthwhile. 5 First Steps in Security for SMEs also covers backups among its priority measures.
Initial Response If You Are Infected
- Disconnect from the network: Immediately unplug the LAN cable or disable Wi-Fi on any device suspected of infection to limit the spread
- Preserve evidence: Do not power the device off; record and preserve what's on screen and any unusual behavior (a hasty factory reset can hinder later investigation)
- Notify stakeholders: Contact the responsible person inside the company, your IT vendor, and if warranted, the police or a specialized agency
- If personal data may be involved: See Initial Response to a Personal Data Breach for the first steps when a breach of personal data is suspected
- Keeping the business running: See IT-BCP Basics for SMEs for maintaining operations while systems are down
Should You Pay the Ransom?
Whether to pay a ransom is a difficult decision that involves business judgment, but in general, payment does not guarantee that data will be restored, and paying is sometimes said to increase the risk of being targeted again. Many law enforcement and public agencies, in Japan and elsewhere, reportedly advise against paying. If you do face this situation, it is advisable not to decide alone — consult the police, a specialized agency, or your insurer if you have coverage. Cyber Insurance Basics covers this as a form of financial preparation.
Frequently Asked Questions
Does a small company really need expensive security products?
Expensive products are not necessarily the top priority. In general, thoroughly implementing the basics — backups, software updates, and multi-factor authentication — is considered to offer strong protection relative to its cost.
Is having backups alone enough?
Backups are an important safeguard, but not sufficient on their own. There are reported cases where the backups themselves were encrypted or destroyed, and double-extortion tactics involve data theft as well, so it is best to combine backups with updates, stronger authentication, and other measures.
What should we do first if we notice an infection?
In general, disconnecting from the network to limit further damage is the top priority. From there, the basic flow is to preserve evidence while contacting the responsible person in the company, your IT vendor, and if needed, the police or a specialized agency.
Summary
Ransomware remains a threat with ongoing reported damage regardless of company size, and it is considered important to prepare rather than assume 'it won't happen to us.' Steadily building up the four basics — backups, updates, multi-factor authentication, and training — forms the foundation of a solid defense.
Feel free to contact us
Contact Us