Last month, news broke that venerable auction house Christie’s had been struck with disaster. It wasn’t fire, flood or earthquake, but something far more treacherous: a ransomware attack.
Such hacks come in a variety of guises, but share a basic setup. A hacker or group of hackers gains access to your system, and offers an exchange: Pay a ransom, or they’ll wreak havoc. In some cases, these bad actors will lock up a system, freezing normal operations. In others, like the Christie’s hack, they’ll threaten to release sensitive data to the public.
If a ransomware attack lies very low on your list of things to worry about, there’s a reason for that. Hacks don’t always slip out into the news, because companies—for obvious reasons—aren’t eager to publicize them. As a result, the problem stays in the shadows, no one takes adequate precautions, and it only gets worse.
In the abstract, the consequences of one of these hacks can feel vague—would it really be so catastrophic to lose access to your Dropbox account? In reality, the effects can be devastating. Setting aside an attack that freezes business operations, imagine hackers gaining access to every sensitive email you’ve ever sent—or your employees’ addresses, social security numbers and health care records. The fear of financial consequences, embarrassment, and loss of trust is why ransomware attacks are so dangerously effective.
Precise data is difficult to come by, but experts agree that the dollar amounts demanded by hackers have gone up radically in recent years. “If you turn the clock back to 2019, the average [ransom] was around $5,000. Now it’s north of $1 million,” says Brett Callow, a threat expert for Emsisoft, a company that specializes in cybersecurity. “It’s a vicious cycle. As the attackers make more money, they’re able to scale up their operations and launch attacks against bigger organizations. … Organizations carry cybersecurity insurance more than they used to, and there’s a school of thought [among hackers] that insured organizations are more likely to pay, because the demands aren’t coming out of their own pockets. As demands have gone up, so has organizations’ amount of coverage.”
Ransomware hackers sometimes target specific kinds of businesses. Health care companies are frequently in the crosshairs, partially because of the wealth of the industry, but also because of the sensitivity of the data they’re responsible for. However, no sector of the economy is immune, and companies in the design industry have also been targeted, including Ikea locations in Morocco and Kuwait in 2022, Michigan-based office furniture manufacturer Steelcase in 2020, and multiple Ashley HomeStore locations since 2019.
“[The attacks] are very indiscriminate. Attacks are cheap to carry out, and anyone and everyone is a target,” says Callow. “Charities, small businesses—really anybody.”
There is no single “right” answer for what to do if your company is targeted. Experts frequently advise not to pay hackers—at least partially because there’s no guarantee that they’ll stick to the terms of the deal. There are countermeasures, and in some situations, an effective security team can mitigate the threat and regain control of your system. However, the reality is that many businesses, faced with the debilitating impact of a major hack, pay the ransom and cross their fingers.
If there is a best practice, it’s to take precautions and avoid a security breach in the first place. Often hackers target employees by sending seemingly innocuous emails with malware embedded in an attachment. Training staff to be vigilant is a crucial line of defense.
“Humans make mistakes, and many [schemes] are quite believable. Awareness and routine training can keep employees alert to the dangers. Ensure every employee, no matter where they fall, understands basic safety practices,” says a spokesperson for McAfee, the computer security software company. “For example, ensure the email is from who they claim to be [by looking closely at the origin address or verifying with the person through another mode of communication]. Be cautious of any links. Do not download unsolicited attachments.”
Backing up critical information regularly is another crucial precaution—don’t run your entire business off of a single Microsoft Excel file that only exists on one desktop. And make a point of turning on two-factor authentication whenever it’s an option: It’s far more difficult to gain control of accounts when a user is required to input both a password and a verification code that’s sent to their phone.
In general, it’s a good idea to take time for occasional (even yearly) security reviews with your IT team or an outside pro. A few simple steps now can prevent a catastrophe later. The experts tend to agree that, barring intervention from the government, this cycle—companies paying ransom, incentivizing hackers to carry out more, bigger attacks—will continue.
“The ransomware problem has gotten worse and worse,” says Callow. “And realistically, it’s going to keep on getting worse unless we make some drastic changes.”