If you focus only on the headlines, even in the specialist tech press, you’d be forgiven for thinking that ransomware attacks were mainly a problem for larger businesses and institutions. Those incidents which make the news tend to feature attention-grabbing numbers. These can be either in the size of ransoms demanded or the costs of restoration and recovery. Another type of attack that will always get in the news, would be related to vital services – the hospitals, schools, police departments, or other government services – whose disruption is likely to cause widespread concern. When a major bank, tech firm, logistics or telecoms provider, or well-known institution is knocked offline for days at a time, it tends to make the news.
At the other end of the scale are the individuals, and perhaps micro-businesses, hit by entirely automated malware infections. In these cases, mostly ultimately traceable to a spam email, or malicious advertisement in a video game, someone’s personal PC or laptop has been locked up and cherished photos, a draft of a novel or list of local customers is leveraged to extort a few hundred dollars in Bitcoin.
For much of the history of the ransomware threat, these have been the bulk of the victims, and the topic of most of the scare stories, at least until the rise of cloud services and automated duplication of data across devices gave us all an easy way to back up our data. But in between these two, there is another group which gets far less attention than it should – small to medium-sized businesses, many of them providing professional services such as legal or financial advice. Small businesses are the largest employer in the US, and make up the foundation of the US economy. The impact prevalence of ransomware on this industry segment stands out from other industries.
Coveware’s latest set of statistics from Q3 of 2020 show that more than 70% of ransomware incidents were companies with fewer than 1,000 employees, and 60% had revenues of less than $50 million. Looking at the breakdown by industry sector, more than a quarter of companies are in the professional services category, by far the largest single vertical and challenged only by health care and the public sector. As noted above, these get perhaps more attention than they should, weighing in at only 11.3% and 11.6% of incidents. No other category tops 10%.
With professional services firms making up only 14% of businesses in the US, but making up over 25% of ransomware attacks, this industry sector is absorbing more attacks than it should.