The catalogue of high-profile ransomware attacks is growing larger and becoming more alarming every day.
It affects everything from gas pipelines to transport and technology firms. As the range of targets for ransomware increases, the average value of ransomware payments being demanded by cybercriminals is skyrocketing. The most recent BrightCloud Threat Report revealed that the average ransomware payment was $154,108 by the end of 2020, a huge increase from $6,733 at the end of 2018.
Australia’s Cyber Security Industry Advisory Committee has recently warned that malicious cyber criminals are becoming more brazen and sophisticated. This sentiment is also supported in the BrightCloud Threat Report which found that ransomware has become more targeted, and much more ruthless, with criminals specifically targeting higher value and weaker targets to gain larger financial rewards.
It’s clear that larger organisations have become preferred targets because they can and will pay more to get their data back – in fact, the world's largest meat processing company recently paid $11m in ransom to put an end to a major cyber-attack. Australia’s Home Affairs Minister Karen Andrews has warned that cybercrime is costing the Australian economy about $3.5 billion a year – these are huge costs for businesses to contend with.
However, hidden costs associated with these attacks can be just as significant. It is becoming more complex and expensive for businesses to recover from these attacks, and recovery often leaves a significant dent in operating budgets.
Security issues often exist because the threat surface area is now so large – and cybercriminals are experts in exploiting the gaps. In this piece, I’ll explore the hidden costs of ransomware businesses need to be aware of and how to protect against them.
Once inside a network environment, ransomware replicates and spreads, causing more damage as it propagates. Some businesses spot and remediate straight away, but for others the infection doesn’t reveal itself for 24 hours or more.
The further ransomware spreads, the longer it takes to mitigate. Every infected device requires additional man-hours. Sent emails with phishing links and attachments with malicious content multiply the work involved exponentially. In best-case scenarios, a ransomware infection that is caught early may only require a few man-hours to remediate. We’ve found that more than 40% of businesses that suffer a ransomware attack spend eight or more man-hours on remediation efforts.
Not only does the cost of ransomware remediation include the work hours required, it also includes the opportunity cost of diverting IT resources away from other strategic priorities – which can be harder to quantify – as well as the cost of downtime.
The cost of downtime varies widely depending on the nature and size of the business, risk tolerance and industry – but we estimate around $10,000 an hour for small and midsize businesses and up to $300,000 an hour for large enterprises.
Brand and reputational damage
Like ransomware, downtime also entails hidden costs. If either extends to external customers, the reputational harm and diminished brand equity can exceed both the ransomware payment and the operational costs associated with an attack.
In addition, customer loyalty is increasingly fickle. According to one study, 61 per cent of consumers switched some or all of their business from one brand to another in the last year, and 77 per cent admitted they now retract their loyalty more quickly than they did three years ago.
Many businesses are continually assessing their cyber risk profile and proactively managing their defences. However, it is also vital that they put measures in place to mitigate the impact of a cyber-attack on their reputation and brand which means preparing a proactive, effective, and instant crisis communications response.
The best-prepared businesses are the ones that can refuse to pay ransom demands because they are able to recover their data. Of course, the best way to be able to recover data is to back it up. But deploying backup isn’t the only defensive measure businesses should consider. Gaps in protection must be closed to ensure the resilience of the entire system.
A meaningful security posture starts with preventative security measures and a defensive in-depth data protection strategy. This starts by looking at the attack vectors that could lead to a ransomware infection.
We find the most common threat vector is often an organisation’s employees themselves, who may inadvertently visit malicious websites, click on phishing email links or attachments, or disclose their login credentials.
Security awareness training is therefore the most effective way to address the common threat vectors that lead to successful ransomware attacks. Training employees with phishing simulations is more effective when conducted more frequently, and we’ve found that after 12 sessions click rates on malicious links and attachments can drop up to 50%.
Alongside this, businesses can ensure cyber resilience by undertaking an external security audit to identify software vulnerabilities, implementing two-factor or multi-factor authentication to minimise credential theft and deploying internet threat intelligence and DNS filtering to block malicious sites.
Ultimately, having a strong security posture in place to protect against ransomware infections in the first place is crucial to mitigating costs. Some companies now consider paying ransoms to be a cost of doing business. They prepare in advance for inevitable ransomware attacks, such as having Bitcoin on hand or acquiring it immediately so that they can pay ransoms quickly.
But it doesn’t have to be this way. The true cost of ransomware infections includes more than just the ransomware payment – and organisations need to ensure they have full protection in place or risk paying the price.