As predicted by many, 2016 became the Year of Ransomware. Total ransoms paid in 2016 swelled to over $1 billion and about half of organizations were hit. Meanwhile, 2017 is not off to a great start. In fact, over just the last week, the WannaCry / WannaCrypt malware victimized over 230,000 systems in over 150 countries.
Even now, some organizations remain content to pay a ransom instead of working to improve their recovery and defensive cybersecurity capabilities. In part, this is because ransom amounts may be considered “inexpensive.” For example, the ransom demand for WannaCry was $300 US.
However, there are significant costs and risks that make relying on paying the ransom a very dangerous and expensive strategy. Normally, recovery from a ransomware attack is far more than applying keys to decrypt data. There are often forensics, legal fees, IT infrastructure clean-up and modifications, etc.
One visible example involves a public utility based in the Midwest. After an attack blocked access to its accounting and email systems, the utility paid a $25,000 ransom for the keys to decrypt its data. But actual costs dwarfed the ransom – it took about a week to actually return to normal, and the utility eventually paid approximately $2,000,000 in related costs to address the fallout.
Costs from a cyber-attack are difficult to quantify, but one estimate puts the total expected worldwide losses due to WannaCry at $4 billion, even as the total ransoms paid remain well under $100,000. Costs can fall into many different categories:
- Lost Revenue – with 72 percent of companies losing their data for at least two days after an attack, and almost one-third for more than five days, these amounts can be significant.
- Stock Price – one study suggests that a severe cyber security breach results in a permanent decline in corporate valuation of 1.8 percent. Thus, a company worth $1 billion could expect to lose close to $2 million in valuation. The same study notes that a particularly severe issue could result in a decline of 15 percent.
- Damage To Reputation – what do customers and partners think if they are unable to transact business with an organization for several days? Customers may go elsewhere, both for the time they are unable to transact business – and potentially in the future.
- Litigation – if an attack causes enough harm, shareholder or other litigation may result, particularly if an organization is highly regulated or publicly traded. Costs for forensics and investigations, legal fees and related disruptions can easily run into millions of dollars.
- Regulatory Enforcement – if an organization fails to address a known vulnerability – which might be the case after a first successful ransomware attack – it could be subject to heightened regulatory enforcement and penalties, such as FTC Section 5 liability or industry-specific mandates such as HIPAA.
Protection Against Cyber Threats
There are many steps that organizations should consider to better protect against ransomware and other cyber threats. Here are some guidelines:
- Leverage cybersecurity best practices – cybersecurity defenses encompass a broad set of capabilities, and no single one is effective against all threats. Frameworks such as the NIST Cybersecurity Framework can help organizations to benchmark their current capabilities, plan for what is needed on a risk-adjusted basis, and insure that they are evaluating key capabilities and addressing areas of concern.
- Review your current data protection and backup practices – evaluate your current backup operations. Are your data protection and backup capabilities actually working and could you use them to quickly restore key systems after an attack? Have you tested this theory?
- Consider having a gold copy of business critical systems – if a system is too critical to lose, consider an isolated recovery infrastructure in addition to your standard data protection and recovery solutions. This infrastructure should not be on the production network.
- Work with the Board – decision can be made quicker and budgets can be made available when an organization’s Board of Directors is involved. Given the potential for significant business disruption or discontinuation, and even liability, your Board should be briefed on these threats and what can be done to protect against them.
- Check your insurance – more organizations are evaluating cyber insurance to protect against losses. Coverage and prices vary widely today, but they are worth investigating to balance risk.