Ransomware dominated the cyberthreat landscape in 2016, costing businesses more than $1 billion. Small and medium-sized businesses (SMBs) are extremely vulnerable to these attacks–and they often pay the price, since they don’t have the means, or don’t know how, to combat these threats.

“Small and medium-size business typically have fewer resources (e.g., money as well as knowledgeable people) to secure their IT infrastructure as well as maintain a good backup strategy,” said Engin Kirda, professor of computer science at Northeastern University. “Hence, whenever a ransomware attack happens, they often end up having to pay the ransom to rescue their data.”

The average ransom is in the $500 to $2,000 range, up a bit from the past couple of years, according to Robert Gibbons, chief technology officer at Datto. But even when a company pays the ransom, it only gets its original files back about two-thirds of the time, he added.

Hackers are evolving their techniques to get around traditional security protections, according to a recent report from PhishMe. More modern variations of the malware can inspect the machine it is infecting, and determine, based on the applications and data stored, how much money the machine’s user is likely to pay.

SEE: How to avoid ransomware attacks: 10 tips

For example, if the malware finds healthcare records software on the machine, the ransom price will go up dramatically, Gibbons said. “We see $10,000-plus ransoms demanded, usually when the ransomware software is able to determine that the machine is used for something important, and the user will pay more,” Gibbons said.

SMBs tend to get infected with ransomware via phishing emails and shared USB drives. While large businesses tend to have fileshare systems or drives, smaller ones tend to use USB keys or external media. “One employee will plug in a USB key at home, move files to that key, work on them at home, and bring it back to work–it opens up the networking environment to infections from the home PC,” Gibbons said. “The more you’re taking media and connecting to unsecure networks, the more infections you’ll get.”

Preventing and mitigating attacks

SMBs should ensure that they have good remote backups of their data, Kirda said. “Mounted drives often are not effective against ransomware because when an attack happens, attackers also typically go after the mounted drives and hijack the data there,” Kirda said. “A backup service into a cloud might be more effective.”

Gibbons recommends having basic IT protections around how files are shared within a network, including a basic VPN setup for employees who work from home, or a fileshare system like Dropbox. “Having a corporate-sponsored way of sharing files remotely, working on them, and getting them safely back into the network goes a long way,” Gibbons said.

Basic employee education programs about email phishing and other cyber threats is also very effective, Gibbons said. “You need to plan as though you’re absolutely going to get infected,” he added. “The problem is you’re subject to the weakest link in the chain–the least technically skilled individual in the business will be how you become a victim.”

When ransomware does hit, it’s key to identify and isolate the infected machine to ensure it doesn’t spread throughout the network, Gibbons said.

SEE: 6 common enterprise cybersecurity threats and how to avoid them

Reporting the incident to authorities is important, independent of whether you pay the ransom, Gibbons said, as underreporting is definitely a problem when it comes to ransomware attacks.

Why? “For small businesses, they’ve just got a business to run,” Gibbons said. “For medium businesses, there is an incentive not to report it and make a big deal of it, because customers tend to judge a business that’s been infected by ransomware.”

After an attack, it’s also important to communicate with customers, focusing on the security that is in place and the containment of the threat, Gibbons said. “Any time I read about a security compromise that was stopped on the initial machine or shortly thereafter, or the security apparatus worked, I think better of that business,” Gibbons said. “You can’t stop it completely, but you can control the threat and monitor it and make sure you never have too big of a problem.”

There’s currently a disconnect between IT leaders and business leaders in terms of grasping the danger of ransomware, Gibbons said. While IT leaders tend to understand the problem, the business side does not always recognize it, he added.

“If you look at software viruses, most small and medium business owners understand that threat and want to be protected against it. We didn’t see that yet for ransomware,” Gibbons said. “There is a maturation and alignment between IT leaders and business leaders that needs to happen over the next year to make sure both sides are seeing the threat for what it is, and taking appropriate protections. Right now, it’s wildly out of sync.”

IT professionals can try to get business leaders to engage with the issue, Gibbons said. Estimating the cost of downtimes helps a lot. “For a lot of business leaders, being denied access to the IT environment for half a day can have a severe impact–walk them through that,” Gibbons said.