Small-hit ransomware attacks are targeting small- to mid-sized businesses (SMBs) around the country.

SMB ransomware attackers target companies they know can pay their relatively low payment demands. They know that SMBs have smaller business continuity cushions — they simply cannot afford to be offline for long and often lack contingency plans. These attackers work on volume: small-cap attacks targeting a bulk of SMBs.

Ransomware attacks against SMBs have increased 150% in the past two years. SMBs suffered some 6,300 attacks per day in 2019. As of the end of 2021, SMBs were hit with some 31,000 average daily attacks.

And the costs to SMBs are significant. According to a recent cyber insurance study, the average cost of a cyberattack on a U.S. small business (less than 250 employees) was $25,612. More than half of small businesses surveyed had incurred costs of at least $10,000 per cyberattack, while 5% of them incurred at least $119,000 in costs.

Without breaking the budget, here are five simple steps SMB security leaders can take to ensure that they’re not a target.

1. Get backups in order

Take the time to understand exactly how the organization backs up data. Can IT recover backups quickly if needed? This may seem intuitive, but many companies simply don’t know what they’re backing up until they discover it’s insufficient.

2. Harden the environment

Hiring an outsourced IT consultant or a managed security service provider (MSSP) to check this one off the list could reduce the organization’s attack surface. When choosing a partner, make sure that they take the time to really learn the work ecosystem. This is crucial to not impeding the team’s productivity.

3. Train the team against phishing

Phishing is the number one entry-point for malware. Anti-phishing software and training is worth the investment. At the same time, make sure to consider alert fatigue if the team is jumping at every email, they’ll be far less productive.

4. Prepare for ransomware

Ransomware contingency planning can be simple. Security leaders can determine who to call and which immediate next steps to take post-ransomware.

5. Get ransomware insurance

Just like fire insurance or car insurance, this is a common business outlay. The average price for a 50-person company with low liability can be just $2,000 to $3,000 a year certainly far less than the average ransomware payout.

For many SMBs, ransomware is a clear and present danger. By starting with the basics, security leaders can make cybersecurity a priority for an SMB.