The Protection Racket: why SMEs need to stop paying the bad guys

By James Henry, Consulting Practice Director, Auriga

The number one priority for any SME is to maintain Business as Usual (BAU) but sustaining that is becoming increasingly difficult. Organised cyber attacks have seen ransomware grow exponentially over the last year, with the National Crime Authority claiming this type of attack increased significantly over the course of the last year.

Crytolocker, Cryptowall and TeslaCrypt are all examples of file encrypting ransomware, a particular type of malware that is designed to prevent access to your data by encrypting it before then offering to sell you the decrypt key. Lock-screen ransomware, in contrast, seeks to completely take over the computer itself and prevent any kind of activity. In both scenarios, the criminals do not have your data; they’ve simply barred access.

To make matters worse, some of the most successful ransomware attacks are timed with the ransom due to be paid before a specified deadline. Miss the deadline and you can say goodbye to your data forever. Those that do pay do usually get back their data and this has fuelled the growth of ransomware, particularly as the fees involved (£25-600) can pale into insignificance for the SME who wants, at all costs, to keep their business running and avoid the embarrassment of poor security and disclosure.

Increasingly the currency favoured by the criminal fraternity is Bitcoin and that has seen some SMEs stockpiling Bitcoin reserves in anticipation of an attack. A recent report found that 33 percent of UK businesses are buying Bitcoin precisely for this purpose. Is this admitting defeat? Should SMEs be making this kind of contingency plan? The popular consensus is that paying up increases the likelihood that these attacks will proliferate and you may even become a victim again. However, there are other issues this raises.

For instance, why aren’t SMEs investing that dead money in better protection? Cyber insurance has been around a while now and there are cyber security policies that deal with this particular threat, helping to provide a safety net that protects the business from a monetary standpoint. The problem is that these insurance policies are seen as a means of redress at best; not as a means of dealing with the problem. Policies may pay out post-compromise but in the meantime the business has effectively had to suspend operations, potentially lost its data, and may find the attack impossible to recover from.

This calls into question whether the insurance industry is adapting enough to address this threat. Surely it should be able to offer assurances with those policies to help sustain BAU? While there are no guarantees, if the insurer was able to offer a monitoring capability as part of the package, wouldn’t that be more compelling?

The current advice to businesses is to patch systems regularly and to use anti-virus. However, these systems can still fail to detect new variants of ransomware which are constantly emerging. What is needed is the capability to detect new strains and give the business prior warning. For instance, cyber security mechanisms are now available that utilise machine learning to better detect mutated forms of malware; this ensures that a new form of malware with a similar DNA to that of a previous version can be detected. An AV system may have missed the new strain because of the difference in signature.

A self-learning Security Operations Center (SOC) can deliver this type of capability and could be used by cyber insurance providers, helping them to provide a proactive rather than retroactive solution to policy buyers. By adopting this type of white label solution, the cyber insurance provider can enhance it’s offering and reduce the risk of pay-out through monitoring emerging ransomware and alerting policy holders. Of course, this would be just one aspect of the package the provider would provide.

Many are already recognising that they need to advise the SME on how to reduce the threat of compromise and are offering strategic guidance, such as the need to invest in a cloud-based or air-spaced disk back-up utility with data backed-up on a daily basis. With this sort of back-up in place, management need only hit restore when the ransomware hits in order to get their data back.

But for now, the insurance industry has its work cut-out in persuading the SME to invest in its cyber security policies when they can simply pay off the ransom racketeers. To win them over, insurers are going to have to offer far more than simple cyber insurance policies; they’re going to have to get into the protection racket themselves by partnering with security providers to offer services that reduce the risk of ransomware.


Auriga Consulting Ltd, a centre of excellence in Cyber Security and Monitoring Services. With a renowned track record of succeeding where others have failed. Offering its clients a cyber protection journey from design through to continuous monitoring, Auriga’s Consultants and Analysts have tailored solutions no matter the size of your organisation.