What do Swedish grocery stores, New Zealand schools, and a thousand or more small and medium businesses (SMBs) around the world have in common? They are all surprise victims of a recent ransomware attack initially directed at Kaseya, an IT management software company.

The attack, subsequent news coverage and messaging from Kaseya created confusion and a sense of helplessness, especially among SMBs. After all, how on earth can they protect themselves from such sophisticated and unavoidable foes?

It’s helpful to keep three little-understood facts in mind:

  1. So-called “sophisticated” attacks are often not sophisticated at all
  2. SMBs don’t usually make the news, but they are frequently targeted
  3. SMBs that comply with the EU’s General Data Protection Regulation (GDPR) greatly reduce their vulnerability to ransomware

“Sophisticated” attacks often are not

Companies like Kaseya and Solar Winds often use words like “sophisticated,” “novel,” or “unprecedented” in order to divert attention from their own embarrassing and unsophisticated failures. But the Kaseya attackers apparently used one of the oldest tricks in the book –SQL injection—to penetrate. At Solar Winds, the password solarwinds123 was posted publicly.

Standard approaches –including Kaseya’s own Security Operations Center services– and routine penetration testing should have caught this. And many SMBs were adequately protected though other means and did not get caught up in Kaseya’s web.

Ransomware gangs are scary and evil. In this case they are doing double duty as “technical debt” collectors, forcing Kaseya and others to catch up to modern practices.

Key takeaway: Calling attacks “sophisticated” is often used as a weak excuse by a company that made a basic error. It does a disservice to SMBs by making it seem like there’s nothing that can be done. 

SMBs are often targeted

Ransomware attacks on smaller organizations rarely make the news, but they are common and can be devastating. Many SMBs suffer in silence –often paying ransoms and suffering severe damage to their businesses.

In an interconnected world, the stakes are even higher. As large companies bolster their own cyber defenses, SMBs in their supply chains become the weak links. Attackers are going after small and medium suppliers –like tax software companies— as a way to penetrate deep pocketed, large enterprises.

Risk managers at larger firms have recognized this risk and are starting to take cybersecurity into account as they contract with smaller suppliers and partners.  SMBs increasingly need to demonstrate their readiness in order to do business with enterprise customers.

GDPR compliance bolsters cyber defenses

The European Union’s General Data Protection Regulation (GDPR) requires accountability, data security, and data protection by design and default. Discussion of GDPR often centers on the rights of individuals to maintain privacy and control of data about themselves, but implementation requires organizations to make fundamental changes that are good for cybersecurity, too. A closer look at the rules shows why.

Under GSPR, an organization must document what data is collected, where it’s stored and who’s responsible. Staff must be trained in technical and organizational security measures (TOMS). Data processing agreements need to be in place with third parties, and someone must be designated as a data protection officer

Many IT systems were developed before cybersecurity was prioritized, so protective measures are often patched on in reaction to a breach. Building in data protection by design and default, as GDPR requires, means thinking about these issues upfront and designing data collection and storage systems with security in mind.

Fundamental Cyber’s Funda tool enables SMBs to take a pragmatic approach to GDPR compliance. Specifically, Funda enables you to:

  • Scan your computer in seconds for Personal Identifiable Information (PII) and Personal Health Information (PHI)
  • Easily report incidents for remediation
  • Comply with GDPR privacy rules
  • Increase productivity while decreasing stress and worry

Conclusion

Don’t be intimidated into helplessness by believing that all attacks are “sophisticated” and unstoppable. Realize that SMBs are frequently targeted, and that the vulnerabilities of SMBs are increasingly a risk to larger players. And follow GDPR for its own sake and as a pathway to stronger cyber defense.

Leave a comment

Your email address will not be published. Required fields are marked *