To make a rational risk assessment about any scenario, you need to know what the possible outcomes are, and the consequences of each outcome. The alternative to proactive investment is reactive crisis response, which most frequently manifests in the form of this question when it comes to ransomware: “Do we pay the ransom or not”? Although the answer is pretty much always "No," it's important to understand the real costs of ransomware.
Defending your organization against information security threats requires costly investment into both information security technologies, as well as backup and disaster recovery technologies. Network defense means obtaining, deploying, managing and maintaining an increasingly bewildering array of technologies designed to prevent compromise in the first place, while also accepting that in the fullness of time compromise is inevitable.
Throwing in the towel, on the other hand, means that not only is compromise inevitable, but it will occur more frequently. Today’s information security defenses may be imperfect—hence the inevitability of compromise—but they really do keep most of what’s out there from doing damage.
But what does that damage actually look like? If the cost of defending your network is multiple millions of dollars, and the cost of any given compromise event were a few hundred dollars, the incentives would tip toward not investing in information security.
Information security, however, is a massive industry. Companies large and small invest continuously in improving their information security posture, so it’s safe to assume that the costs of compromise are substantial. And the limited publicly-available information that exists on the topic validates this analysis.
Ransomware attacks are now everyday occurrences. It’s common because it’s effective: mainstream news outlets were reporting ransomware as a billion-dollar criminal “industry” as early as 2016. Let’s take a look at some stats surfaced by Heimdal Security in their Ransomware Payouts in Review blog.
Probably the two most important stats surfaced in their piece are that “the average mitigation cost of a ransomware attack was $1.85 million” and “80% of victims who gave into ransom payouts experienced another attack soon thereafter” (all figures in U.S. dollars).
There are very few organizations for whom $1.85 million is the corporate equivalent of some loose change lost down the back of the couch. And while it’s true that the “average” quotes above doesn’t convey the wide spread of ransomware payouts, even fairly pedestrian ransomware demands by smaller ransomware gangs can run into thousands of dollars for individuals and tens or hundreds of thousands of dollars for small businesses.
In Sophos’ State of Ransomware 2021 survey, 37% of respondents were hit by ransomware within the last year. And because Sophos is a security vendor, their survey respondents will by default be biased towards companies that have already invested in information security defenses. Organizations which choose to forgo proactive investment will be hit at much higher rates.
Ransomware, of course, only one example of cybercrime. In its Cost of a Data Breach 2021 report, for example, IBM estimates the costs of a data breach as being $4.24 million.
Cybercrime is also very responsive to world events. COVID-19, for example, was widely taken advantage of by cybercriminals, resulting in a documented 600% increase in cybercrime so far during the pandemic. McAfee estimates the global cost of cybercrime in 2020 as being upwards of $1 trillion.
Worryingly, organizations of all sizes are woefully unprepared to deal with cybercrime. Accenture’s 2019 Cost of Cybercrime report estimates that 43% of cyberattacks are aimed at small businesses, with only 14% of those businesses confident that they can defend themselves.
Larger organizations fare no better. In the U.S., governments at all levels, in addition to private-sector companies that are considered vital infrastructure, have been the subject of so many frequent (and successful) cyber-attacks that President Biden has signed an Executive Order that, among other things, established Cybersecurity Safety Review Board to analyze cyber incidents after they have occurred and make recommendations to prevent similar incidents.
This was followed by another Executive Order (the Civil Cyber-Fraud Initiative) which promises to punish federal government contractors that don’t live up to their commitments; levy fines against individuals for negligence regarding cybersecurity; and offers up strong whistleblower protections to encourage people with knowledge of negligent practices to come forward. This was itself followed on by the first of a new series of international meetings aimed at increasing international cooperation to fight Ransomware.
If you feel that your organization’s information security defences aren’t ready to defend against the myriad of cybersecurity threats we all face, you’re in good company. Big or small, organizations are worried about their own cybersecurity capabilities, and increasingly falling victim to cybercrime, the most visible of which is ransomware.
If the above statistics and evolving regulatory environment don’t motivate you to invest proactively in information security, perhaps the baleful eye of the U.S. Securities and Exchange Commission (SEC) might change your mind. Very few government organizations in any country are as feared as the SEC, and they have turned their attention to the market impacts of cybercrime.
In early 2018, the SEC voted unanimously to approve a statement and interpretive guidance regarding cybersecurity risk and incident disclosures. Later that same year, they reached a settlement with Yahoo! for $35 million for failing to disclose a data breach.
Legal ethicists in St. Mary's Journal on Legal Malpractice & Ethics are also weighing in, saying “A failure to find adequate funds for cybersecurity improvements will make law firms more vulnerable to cyber-attacks, but it also makes it difficult for them to comply with professional responsibility norms, thus resulting in greater legal malpractice and other risks.”
Ransomware is only one type of information security compromise that can happen to your organization. But all on its own, this class of compromise event is painfully costly, and occurs with such alarming regularity that it can and does justify proactive information security investment. Taken as a whole, the risks and costs of cybercrime have become so evident that a failure to invest is now considered, quite literally, negligent malpractice.