Ransom-proofing Your Business

When small and mid-size business owners consider their risk of a ransomware attack and the investment they’ll make to prevent or mitigate that risk, some ask, “What are the real chances that our data would get held for ransom?” It may feel like the risk is quite low, especially if they’ve been in business a long time without experiencing an attack.

The truth is that in the 21st Century, this is a problem for everyone. No one is immune. According to the CyberSecurity Alliance, ransomware attacks nearly doubled from 2020 to 2021.

Seventy percent of all ransomware attacks worldwide are on small to mid-size businesses. That’s because the hacker’s chance of getting a payout is higher with companies who are laser-focused on their lines of business and may not be well-protected.

Even more distressing is that 60 percent of small and mid-size companies that experience an attack are out of business within six months.

So what can business owners do? We covered these points and more in a recent webinar. Watch the replay and dig into each point below.


  • Don’t DIY it. The off-the-shelf, flat fee under-$250 solution probably won’t give you the coverage you need. This is the type of work that’s worth outsourcing to a trusted professional, just like hiring a CPA for your taxes.
  • Protect yourself against losses. An insurance advisor can review any insurance policies or riders you have and determine what they do and do not cover. Many of them only protect you from liability for third-party claims.
    • Look for a comprehensive policy that covers first-party claims (hackers stole your money) and third-party claims (hackers used stolen customer information to steal their money) as well as claims made where you are the third party.
  • Don’t rely on antivirus or “anti-malware” software. It only protects against known threats. You need a solution that protects against those and is smart enough to detect the 350,000 new threats created every day. Many successful attacks are hidden in apps, ads, plugins and links on social media sites. Neither the user nor the antivirus service has any idea that malicious software has been downloaded to the device.
    • Look for advanced endpoint protection (AEP), which uses artificial intelligence (AI) and machine learning to detect fileless malware, script-based attacks and zero-day threats. AEP is sometimes called Next Generation Antivirus.
    • Since detection is only half the battle, you’ll want AEP that also includes endpoint detection and response (EDR). EDR provides the information that security teams need to respond to and mitigate a threat when it’s uncovered.
  • Since 90% of all cyberattacks come through email, get a service that pre-scans it. Email hygiene protection is not good enough anymore. Again, those older technologies are based on known threats. Advanced email threat protection uses scanning engines to make sure email is from a known source, detects geolocation and detonates links (and attachments) in a contained “sandbox” environment. This technique isolates potentially dangerous files from the rest of your network so the extent of the damage will be limited.
  • Build in additional low-tech steps whenever possible. Pick up the phone and use a known trusted number to call the sender of an email or text. Verify that they sent you a link to a fantastic offer or requested that you use their pay source to make a large purchase. This type of protection is virtually free and only takes a minute.
  • Don’t expect that firewall you installed several years ago will keep hackers out. That’s a static, list-based barrier. Look for a next-gen firewall that uses geolocation inspection and blocking plus application-level deep-packet inspection, intrusion prevention and intelligence from outside the firewall.
  • Keep your backups separate from your network. This concept is referred to as an “air gap.” If your backup is on the same network as the original, they can both be encrypted by a ransomware attack. Ask your provider if your backups are “air-gapped,” meaning located on a different network and “immutable,” meaning restricted as to who or what can edit your backups.
  • If you’re not already using multi-factor authentication (MFA), get it. This form of double-check is fast becoming a minimum qualifier for cybersecurity insurance. The second factor, in addition to username and password, can be:
    • Something you know - Like a password, or a memorized PIN.
    • Something you have - Like secure USB key to plug in, or a smartphone on which you receive a unique, dynamically created multi-digit number to key in (sometimes called a token)
    • Something you are - Like a fingerprint, or facial recognition.
  • Finally, if you have not had these conversations with your current IT partner, get a new one. The recommendations found here are minimum “table stakes” if your business is going to interact with other businesses and the Internet.


Jeremy Hopwood is chief information security officer for Pinnacle Financial Partners and can be reached at jeremy.hopwood@pnfp.com.


Quick Links