As an IT professional, you’re likely concerned about cybersecurity and the implications of a ransomware attack…and for good reason. But isn’t there a fine line between caution and paranoia? Admit it (we won’t tell your boss): ever wonder just how secure you really need to be? Let’s unpack this along with a few other common questions.
We’re not a Fortune 100 company. Why would a hacker bother with us?
Your organization may not be as lucrative as Amazon or Walmart, but hackers know it’s likely easier to attack a small- to mid-size company than a behemoth like Amazon. In fact, hackers are increasingly going after smaller companies precisely because they don’t think they are being targeted. According to Veeam, 85% of cyberattacks are aimed at small businesses.
And it makes sense: smaller companies often don’t have the resources to train their employees to look for phishing and smishing red flags. They are also more likely to pay ransoms, and (this one may be the motherlode) smaller companies are often the gateway to larger downstream partners that can be hacked through partner portals and databases.
Sorry to say, but if you haven’t been attacked, it’s likely a matter of time before you are. In 2024, ransomware attacks increased 93% year over year. Veeam recently reported that in a global survey of 1,200 international companies of all sizes, 85% of organizations suffered at least one cyberattack in the preceding 12 months. So, if you haven’t been a victim, great, but to quote an old Malayan proverb: “Don’t think there are no crocodiles just because the water is calm.”
How much should I spend on data security?
Tough question, and there’s no easy answer. According to Statista, businesses worldwide spend an average of 12% of their IT budgets on cybersecurity. Other sources say 10%, still others as high as 20%. Statista also estimates the average IT budget for a small business under $50 million in revenue should be about 4% of revenue.
One thing is for sure: it’s more expensive to be the victim of a ransomware attack than it is to try to prevent or recover from one! The average downtime a company experiences after a ransomware attack is 24 days, and according to Sophos, the average payout by a mid-sized organization is $170,000. Consider the intangible costs as well: damage to reputation, staff hours to mitigate the damage, and loss of revenue. According to Gartner, 60% of organizations, investors and venture capitalists in 2025 will factor cybersecurity risk when assessing new business opportunities. So if you don’t have adequate protections in place, you may lose some of your business partners.
At the very least, you should have backup for all of your data, a disaster recovery solution, DDoS protection, and a next generation firewall in place. You should also consider employee training on recognizing ransomware traps. Perhaps it goes without saying, but we’ll say it anyway: create a continuity and disaster mitigation plan, and ensure senior management and IT staff know the plan and their roles inside out.
Lastly, an insurance policy against cybersecurity is fine, but in no way is it a silver bullet. According to a global survey by Veeam, one in three respondents who paid a ransom still could not recover their data after paying. And due to the prevalence of attacks, premium costs are on the rise, deductibles are up, and coverage has commonly been reduced.
I have a DR plan in place, so I’m in good shape, right?
Well, maybe. As a rule, experts agree it’s best to test your plan at least once or twice a year and update your DR plan whenever significant changes to IT staff, system infrastructure, or processes occur. A DR test consists of examining each step of a disaster recovery plan to ensure that an organization can recover its data and applications, restore critical business applications efficiently, and operate after downtime or a service interruption. Also, remember that having a plan is useless if no one knows how it works.
If you’re fortunate enough to have a CISO or IT director responsible for cybersecurity, you can be proactive and conduct tabletop exercises to role-play crisis scenarios. Certain tools can help. Black Hills Information Security offers an incidence response card game called Backdoors and Breaches that creatively helps you conduct tabletop exercises to play through various disaster scenarios. You can then create strategies and responses that translate to the real world.
If you don’t have a CISO or security czar, that’s ok. You can get help from a security solutions provider, or simply take a phased approach to cybersecurity.
How do I manage cybersecurity with growing threats and finite resources? This is overwhelming!
You have options that can save you time and money. First, if you’re still managing your own infrastructure or data center, consider offloading some, or all, of your computing resources to the cloud, a data center, or colocation facility. There are many service providers that can manage your servers, backup your data, and offer disaster recovery and firewall as a service. Gartner predicts that by 2025, 80% of enterprises will shift from traditional in-house data centers to options like cloud or colocation.
For low-hanging fruit, look for vulnerabilities in your hardware and software, install software patches as soon as possible, and train your employees not to click on suspicious links. Educate your workforce on the dangers of downloading unapproved applications or software, too.
In a nutshell, when it comes to ransomware protection, do what you can, as soon as you can, with the resources you have.
At FirstLight, our cybersecurity and cloud specialists can support your security strategy with solutions ranging from backup and disaster recovery to a full SASE suite. Our experts cater to all company sizes and can suggest the solutions that are right for your needs and budget. FirstLight also manages more than a dozen geo-diverse data centers with colocation and cloud solutions. Connect with one of our experts to learn more.
