According to Sophos, the average ransom paid by businesses last year was just over $170,000. The most common payment was $10,000.
But how many people actually pay up? Accurate figures are hard to get, because (understandably) most businesses try not to advertise the fact that they’ve given in to extortion. But if recent research from the UK is reflective of what’s happening globally, then it seems that around half of businesses do actually pay.
It’s easy to see why some businesses might go down this route. Meeting the fraudster’s demands might seem like the quickest, easiest and least costly way to get back to normal.
But costs-wise, just bear in mind the following:
- 92% of organizations who pay a ransom do not get all of their data back. On average, they recover just 65% of it.
- There’s a real risk of getting nothing back at all. The fraudster might simply disappear without supplying you with a decryption key, or the key may be flawed, meaning that some or all of your files remain inaccessible.
- Even if systems access is regained, the data has already been exploited. Sensitive data (e.g. customer account details) may already be out in the wild, so you will still need to notify customers.
The FBI and other enforcement agencies advise against paying a ransom in the strongest possible terms. It doesn’t usually make the clean-up costs go away: it just means you are handing over a five-figure sum (or more) to a fraudster, on top of those costs.
Remediation and recovery
Once an attack has occurred, you need to isolate affected systems and endpoints, forensically check the location and extent of impact, before reconnecting your backup and restoring your data.
Most organizations need external help with this, and it doesn’t come cheap. The Palo Alto Networks’ 2021 report shows that the average cost across the U.S., Europe and Canada for remediation and recovery services following an attack is $73,851. Smaller businesses pay an average of $40,719.
Let’s say your CFO is reluctant to sign off on the cost of updating your security and backup capabilities. If it seems expensive, how does it compare to 16 days’ lost revenue?According to Coveware, the average outage time following a ransomware attack now stands at 16.2 days. If you are sensible, your restoration plan will focus on getting business-critical systems back online first of all, so sales channels should be prioritized. However, even a few days’ outage can be extremely costly.
Do you have to tell outsiders about the attack? If so, who?
It depends on what categories of data have been compromised and the severity of the breach. In the UK and Europe for instance, there’s an obligation to inform individuals as well as local data protection authorities if personal data has been compromised. The situation can get especially complicated if you have customers in multiple locations.
It’s likely that the company will need to call on legal advice to ensure compliance with your reporting obligations. It’s expensive, but often essential, to avoid sleepwalking into regulatory fines and/or civil action.
The lawyers tell you who you need to notify, and the information you need to provide. But to get the message right, you need reputation management expertise. Once again, it may be necessary to call on outside help.
A PR expert should be able to advise you on how to frame your initial notifications. You may well be faced with an influx of customer queries, so you’ll need help in putting together a crisis communications team.
Information security incidents - including ransomware attacks - are almost never covered by general insurance. For anti-ransomware protection, the business will need a specific cyber insurance policy.
Cyber insurance should protect you from direct loss of income as a result of an attack. Many insurers will also put you in contact with remediation and recovery services. However, some costs may not be covered, such as the long-tail reputational damage of an attack. What’s more, if you have to wait for the insurer to investigate before paying out, it can place massive pressure on cash-flow.
Don’t ignore the threat
Knowledge of malware detection, network security, user education, backup and recovery are all essential elements of any anti-ransomware strategy.
For a head start in keeping your company safe, take a closer look at VIP membership to the StationX Cyber Security school.