Experiences and Lessons Learned at a Small and Medium-Sized Enterprise (SME) Following Two Ransomware Attacks
Donald Wynn, Jr., W. David Salisbury, Mark Winemiller
This paper presents a case study of a small U.S. manufacturing company that suffered two distinct ransomware attacks four years apart, despite strengthening its cybersecurity after the first incident. The study analyzes both attacks, the company's response, and the lessons learned from the experiences. The goal is to provide actionable recommendations to help other small and medium-sized enterprises (SMEs) improve their defenses and recovery strategies against evolving cyber threats.
Problem
Small and medium-sized enterprises (SMEs) face unique cybersecurity challenges due to significant resource constraints compared to larger corporations. They often lack the financial capacity, specialized expertise, and trained workforce to implement and maintain adequate technical and procedural controls. This vulnerability is increasingly exploited by cybercriminals, with a high percentage of ransomware attacks specifically targeting these smaller, less-defended businesses.
Outcome
- All businesses are targets: The belief in 'security by obscurity' is a dangerous misconception; any online presence makes a business a potential target for cyberattacks. - Comprehensive backups are essential: Backups must include not only data but also system configurations and software to enable a full and timely recovery. - Management buy-in is critical: Senior leadership must understand the importance of cybersecurity and provide the necessary funding and organizational support for robust defense measures. - People are a key vulnerability: Technical defenses can be bypassed by human error, as demonstrated by the second attack which originated from a phishing email, underscoring the need for continuous employee training. - Cybercrime is an evolving 'arms race': Attackers are becoming increasingly sophisticated, professional, and organized, requiring businesses to continually adapt and strengthen their defenses.
Host: Welcome to A.I.S. Insights — powered by Living Knowledge. I'm your host, Anna Ivy Summers. Today we're diving into a story that serves as a powerful warning for any business operating online. We're looking at a study titled, "Experiences and Lessons Learned at a Small and Medium-Sized Enterprise (SME) Following Two Ransomware Attacks".
Host: With me is our analyst, Alex Ian Sutherland. Alex, this study follows a small U.S. manufacturing company that was hit by ransomware not once, but twice, despite strengthening its security after the first incident. It’s a real-world look at how businesses can defend and recover from these evolving threats.
Expert: It is, Anna. And it's a critical topic.
Host: So, let's start with the big problem. We often hear about massive corporations getting hacked. Why does this study focus on smaller businesses?
Expert: Because they are the primary target. SMEs face unique challenges due to resource constraints. They often lack the financial capacity or specialized staff to build robust cyber defenses. The study points out that a huge percentage of ransomware attacks—over 80% in some reports—are aimed specifically at these smaller, less-defended companies. Cybercriminals see them as easy targets.
Host: To explore this, what approach did the researchers take?
Expert: They conducted an in-depth case study of one company. By focusing on this single manufacturing firm, they could analyze the two attacks in detail—one in 2017 and a second, more advanced attack in 2021. They documented the company's response, the financial and operational impact, and the critical lessons learned from both experiences.
Host: Getting hit twice provides a unique perspective. What was the first major finding from this?
Expert: The first and most fundamental finding was that all businesses are targets. Before the 2017 attack, the company’s management believed in 'security by obscurity'—they thought they were too small and not in a high-value industry like finance to be of interest. That was a costly mistake.
Host: A wake-up call, for sure. After that first attack, they tried to recover. What did they learn from that process?
Expert: They learned that comprehensive backups are absolutely essential. They had backups of their data, but not their system configurations or software. This meant recovery was a slow, painful process of rebuilding servers from scratch, leading to almost two weeks of downtime for critical systems.
Host: That kind of downtime could kill a small business. You mentioned management's mindset was a problem initially. Did that change?
Expert: It changed overnight. The third finding is that management buy-in is critical. The IT director had struggled to get funding for security before the attack. Afterwards, the threat became real. He was promoted to Vice President, and the study quotes him saying, “Finding cybersecurity dollars was no longer difficult.”
Host: So with new funding and better technology, they were prepared. But they still got hit a second time. How did that happen?
Expert: This highlights the fourth key finding: people are a key vulnerability. The second, more sophisticated attack in 2021 didn't break through a firewall; it walked in the front door through a phishing email that a single employee clicked. It proved that technology alone isn't enough.
Host: It's a classic problem. And what did that second attack reveal about the attackers themselves?
Expert: It showed that cybercrime is an evolving 'arms race'. The first attack was relatively crude. The second was from a highly professional ransomware group called REvil, which operates like a criminal franchise. They used a 'double extortion' tactic—not just encrypting the company's data, but also stealing it and threatening to release sensitive HR files publicly.
Host: That's terrifying. So, Alex, this is the most important question for our listeners. What are the practical takeaways? Why does this matter for their business?
Expert: There are four key actions every business leader should take. First, accept that you are a target, no matter your size or industry. Budget for cybersecurity proactively, don't wait for a disaster.
Expert: Second, ensure your backups are truly comprehensive and test your disaster recovery plan. You need to be able to restore entire systems, not just data, and you need to know that it actually works.
Expert: Third, invest in your people. Continuous security awareness training is not optional; it’s one of your most effective defenses against threats like phishing that target human error.
Expert: And finally, build relationships with external experts *before* you need them. For the second attack, the company had an incident response firm on retainer. Having experts to call immediately made a massive difference. You don’t want to be looking for help in the middle of a crisis.
Host: Powerful advice. To summarize: assume you're a target, build and test a full recovery plan, train your team relentlessly, and have experts on speed dial. This isn't just a technology problem; it's a business continuity problem.
Host: Alex Ian Sutherland, thank you for sharing these critical insights with us.
Expert: My pleasure, Anna.
Host: And thank you for tuning into A.I.S. Insights, powered by Living Knowledge. Join us next time as we translate academic research into actionable business strategy.
ransomware, cybersecurity, SME, case study, incident response, cyber attack, information security
