WASHINGTON – With ransomware attacks on the rise, small and medium businesses are the most vulnerable, according to a Capitol Hill internet panel.

The Advisory Committee to the Congressional Internet Caucus, a private sector group that gives recommendations and briefings to the caucus, said Monday ransomware has become an epidemic.
At the briefing, Danielle Sheer, general counsel for Carbonite, a Boston-based company that provides data backup services, said her company has found that “47 percent of U.S. business organizations were hit with ransomware in the last 12 months. And 40 percent of the business victims globally paid the ransomware.”

Dante Disparte, chief executive officer at Risk Cooperative, a risk management firm headquartered in Washington, said small and medium-sized businesses are the most vulnerable because they “don’t have the type of cyber budget to outspend the way the largest companies in our economy can.”

Sheer said the numbers are on the low end because many companies and individuals are afraid to report for fear of repercussions.

However, Richard Downing, acting deputy assistant attorney general, said although the Justice Department does not encourage the paying of ransoms, the government does not seek legal action against individuals or companies that have paid ransoms. The most important issue, he said, is having companies report ransomware attacks.

Sheer said the three most important steps to take are fortifying one’s network to prevent infection, having an alert system for infection, and having backup data.

Downing said sharing information is crucial to preventing infection, and the government has a role in “promoting information sharing.”

Downing said the government has played an important role in promoting information sharing and protecting the private sector. In 2015, Congress passed the Cybersecurity Information Sharing Act that allows companies to share information with the federal government without fear of legal repercussions.

Downing said the law is “the kind of thing that can promote an environment where people are willing to share…different kinds of pieces of security information…that can help the government protect itself and help others in the community.”