Stu Sjouwerman is the Founder and CEO of KnowBe4 Inc., the world's largest security awareness training and simulated phishing platform.
getty
Having disrupted our fuel supply, our food supply, the health care industry and even education, the impact of ransomware has truly been devastating. U.S. officials are already calling it a national security threat. Ransomware investigations now receive a level of priority on par with terrorism.
Calculating the true cost of ransomware involves several variables and because of that, estimates vary widely depending on the particular industry and who you ask. For example, the FBI estimates ransomware losses at $29.1 million in 2020. In contrast, other reports claim these run in multiples of billions. Whereas the health care industry is said to have faced losses in excess of $20 billion.
So how does one calculate the true cost of ransomware? The best method to reconcile these massive discrepancies is by generalizing standard business disruption and downtime trends. Here are seven factors to consider when calculating ransomware’s real cost to business:
1. Cost Of Ransom Payment
This is probably the most direct and obvious cost, but usually, it is not the largest. Although a majority of ransomware attacks go unreported and the amounts paid are typically not always disclosed, average payouts (from small to large enterprises) are often north of $300,000. There’s also the fact that average costs can be skewed by a relatively few exorbitant payouts that receive headline attention.
2. Cost Of Disruption And Downtime
While most governments and security experts discourage businesses from paying a ransom, current studies suggest that 68% of companies end up paying. This is probably due to the fact that the resulting downtime caused by such cyberattacks results in enormous productivity losses, disruptions in services and downstream impacts.
According to leading MSPs, the cost of downtime is almost 50 times greater than the ransom demand. When leading international currency exchange Travelex was hit by ransomware last year, not only did it lead to several months of interrupted services for its customers, but other banks that relied on Travelex for currency exchange were also affected. The losses were too great: Travelex filed for bankruptcy.
3. Cost Of Forensics And Recovery
Ransomware forensics and recovery can take a major financial toll, especially for companies that did not have an incident response, disaster recovery and business continuity plan in place. The current average cost of ransomware recovery is estimated at nearly $2 million, while the average cost of forensic engagement alone is $73,851. Especially true for small businesses, the impact of ransomware is so significant that many never recover and are invariably forced out of business.
4. Cost Of Data Loss
Studies reveal that over 90% of victims that end up paying the ransom don’t get all of their data back. Some decryption tools end up being faulty, while in other cases, cybercriminals simply walk away without providing decryption keys. A lot of times, data stolen through ransomware attacks is sold on the dark web and these eventually serve as new entry points for deeper levels of cybercrime. This is another gray area that must be considered while calculating ransomware damages.
5. Cost Of Legal
Companies that fail to prevent data breaches can face large penalties from authorities. Ransomware attacks can lead to customer records being leaked or services delayed for extended periods of time. Privacy violations, negligence, service downtime and loss of business can lead to expensive lawsuits, fines and settlements. Not only this, per a new upcoming federal law, simply giving into a ransomware demand may lead to fines both for the victim and also the insurer.
6. Cost Of Reputation Loss
This is perhaps the most durable cost and also the hardest to quantify. It could take years for businesses to recover their customers as a result of a damaged reputation. Public admission to a ransomware attack can severely impact investor confidence and strain relations with valued stakeholders.
When data or services are actually restored, it’s not always easy to win back trust and confidence, especially if the entire process is not handled in a transparent manner. Ransomware attacks are also known to cause the biggest damages to stock prices, especially when investors find out that there could be production or supply chain issues or loss of vital information.
7. Costs Of Infrastructure Before And After Ransomware Hit
Total cost estimates should not only include the defenses you have to put in place after a ransomware incident but also include the price you paid to ensure a ransomware attack doesn’t happen again. These typically include:
• Infrastructure costs that help mitigate the risk of a ransomware attack.
• Backup costs and labor costs relating to ransomware preparedness and incident response.
• Cybersecurity insurance premiums, if any.
It’s also imperative that you beef up your defenses. Identify and remedy the root causes of the initial attack. Studies show 80% of victims who paid ransoms are hit by ransomware again.
Ransomware has become the next global scourge. Per Cybersecurity Ventures, ransomware damages are likely to exceed $265 billion by 2031. Invest in technical defenses, policy and procedure to effectively patch your apps, and roll out security awareness training combined with frequent social engineering tests to build a robust security culture that quickly identifies attacks. It might be difficult to calculate the true cost of a ransomware attack, yet one successful ransomware infection is far more costly than years of investment in ransomware prevention.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
