Small businesses that experience a ransomware attack face steep costs, whether or not they pay the ransom.

If your collision repair business falls victim to a cyberattack demanding a ransom to be paid to restore your company’s access to its online files, you’re facing a bit of a “Sophie’s Choice,” according to representatives of StoredTech, an IT service company with locations in New York and North Carolina. The reason: There are costs and risks associated with paying such a ransom — but also costs and risks in not paying it.

Aleks Pavlinik.

StoredTech’s , speaking at the Collision Industry Conference (CIC) this spring, ran through a fictional scenario in which a shop owner responds to an email that appears to be from one of the shop’s tool vendors, clicking on a link in the email to provide the requested information. An hour later, all of his shop’s computers are locked down with an onscreen ransom demand, seeking $50,000 in Bitcoin within 72 hours to restore access to the files. If not paid, the demand states, all the shop’s data will be made available to anyone on the dark web.

The shop owner could choose not to pay the ransom. Perhaps the shop has a cybersecurity insurance policy, Pavlinik said, and the insurer’s forensic team comes in and is able to restore some email, the phone system and internet communications to enable the shop to access its cloud-based services.

“But little-known fact here: Threat actors often come in and before they do the [full lock-down], they’ll actually destroy your back-ups,” Pavlinik said. “That’s why it’s so important to have immutable back-ups, back-ups that can’t be changed.”

In this scenario, even though the shop did not pay the ransom, the owner faced about $150,000 in recovery costs.

StoredTech’s ran through the other possible outcome: paying the ransom.

“The shop owner could find out the hackers lied and did not release access to all the information after he paid,” Polok said. “Why would they lie? Why wouldn’t they give [the] data back after they were paid the $50,000? Well, these are criminals, and there is no honor among thieves. In fact, they leaked some of [the shop’s] data.

Allan Polok.

“So in addition to the ransom of $50,000, [the shop owner] still has recovery fees of about $150,000,” Polok continued. “He had to prove to all his partners that his systems were secure, that he was ready to do business with them again, and to safeguard their data and information. It was about $150,000, including some of the steps he could have taken to prevent this from happening in the first place.”

Another risk whether you pay the ransom or not: Having your cybersecurity insurance claim denied.

When you apply for such a policy, Polok said, you generally complete a survey about your company’s cybersecurity practices, such as multifactor authentication and strong password practices. If in the insurer’s forensic work they find any of your responses to those questions aren’t actually reflected in the practices they find, they may contest the claim.

“So there’s no good option here,” Polok said. “Most of the implications are the same in either scenario: Loss of data, recovery costs, reputational damage, etc. If the ransom was paid, we’ve got a few extra implications. Who was that paid to? Criminals. Maybe a terrorist group. How do you report that on your balance sheet? How do we tell the IRS we paid $50,000? The FBI tells us not to pay it. So there might be some consequences to that. The only good choice in this situation is really to prepare for and prevent it to begin with.”

In terms of preparation, Polak said, make sure you have offline access to your cyber insurance policy, and make sure your application for it was fully accurate in terms of your company’s cybersecurity practices.

“Have some key phone numbers — for your attorney, IT people, your insurance company — offline, written down,” Polak said.

Many business owners think their first call when hit by a cyberattack should be to their IT people or insurer.

“You call your lawyer,” Pavlinik said. “And the reason for that is you want to establish attorney-client privilege in this situation. You could be facing hundreds of thousands of dollars in civil penalties, and if you pay [the ransom], potential felonies. I would highly suggest that you establish that communication first, and then you move on to the insurance company.

“The insurance company has approved responders, companies that do this day-in and day-out,” he said. “And you will have to use what they say that you’re going to use for the recovery of this event. You cannot use your friend down the street. You can’t call up your smart son. At this point you have to follow what the insurance company says to do.”

Typical downtime after such a cyberattack can be anywhere from a week to months, Pavlinik said.

In terms of prevention, Pavlinik said, the vast majority of cyberattacks stem from phishing.

He recommended slowing down to look for signs of phishing in any email before responding or clicking on any link or attachment. Such signs can include misspellings and attempts to create a sense of urgency, such as, “Your response is needed by the end of the day.”

Too many small businesses, Polak also said, have unsecured networks, outdated software and the lack of a firewall. They aren’t consistently using strong passwords and multifactor authentication, and aren’t getting security awareness training for their team. They don’t ensure computers are locked when people walk away from them. They aren’t protecting themselves from “a disgruntled employee who’s maybe quietly quitting, or somebody who has left the company but who still has access to your information because their accounts weren’t disabled.”

No single measure will stop all cyberattacks, Pavlinik said. “We’re layering all these different security technologies on top of each other, because if there’s a failure somewhere in that chain, we have back-ups in the sense of something else that might be able to block it,” he said.

As they concluded the presentation at CIC, Pavlinik and Polak put a QR code on the screen people could use to get more information. The catch: the 22 people at CIC who scanned it were sent to a page says, “Oops, you scanned a QR code phishing test.” QR codes are a relatively new vulnerability, Polak said.

“Threat actors are using them,” he said. “They’re posting them at popular events. People are clicking on them. USB drives or sticks are being dropped in a parking lot. They can be used for all kinds of cyberattacks. I worked with a restaurant that had three locations. One employee picked up a flash drive and put it into a computer. It took out the entire restaurant chain just in the course of a couple hours.”

It’s a good reminder that all employees should have some basic cybersecurity training, he said.

While multifactor authentication — where sign-ins trigger a code to your cell phone that you have to enter to continue — offers one good layer of protection, they aren’t perfect, Pavliniksaid. There are other forms of multifactor authentication that are more phish-resistant.

“Passkeys, hardware-based FIDO2, are some of the strongest forms of authentication out there for both the consumer and the business standpoint,” Pavlinik said. “The beauty of passkeys is it gives you the ability to eliminate the password.”