Why Ransomware Should be on Your Radar – And in Your Security Budget

Ransomware is here to stay. Attacks have doubled in frequency this year, touching every major industry across the globe. Once a side character in the cybersecurity game, it has become the third most frequent type of data breach according to the 2021 Verizon Data Breach Investigations Report. And with new approaches emerging like double extortion and ransomware as a service (RaaS), attacks are becoming both more sophisticated and accessible to criminals.

So what is ransomware, how much will it cost you, and what do you need to consider as you prepare your security budget for next year?

First, let’s define our terms.

Ransomware is a type of malware. So, really, our first question is – what is malware? Malware is software meant to damage or disrupt a computer system. In the case of ransomware, that malware serves to hold critical systems and sensitive information hostage until a ransom fee has been paid.

Now, what will it cost you?

First, there are the fees – which are growing. In 2018, for example, the average ransom was $5,000. Today, that average has increased to $200,000 (National Security Institute).

What about the highest fee ever? That honor goes to an insurance company that had to fork over a whopping $40 million dollars, according to Business Insider.

There are other costs to consider, too, like the brand damage and loss of customer confidence that can come with a major breach. Couple that with the fact that experts estimate a ransomware attack will happen every 11 seconds this year (according to Cybercrime Magazine) – and you’ve got an even bigger cost center hanging over your company’s head.

Factors to consider when planning for ransomware

Do people rely on your services?

The average downtime associated with ransomware attacks is now 21 days (Coveware). Downtime in any industry is costly – but for critical infrastructure services, it also means a major interruption to daily life for your customers. Additionally, as the supply chain becomes a more popular target, you’ll need to consider the relative strength or weakness of every link – third parties included.

Where you’ve seen it already: In May 2021, a single stolen password from Colonial Pipeline triggered a fuel shortage across the U.S. Southeast. A month later, seven of the company’s finance systems were still down.

Does your business model depend on exclusive content?

Ransomware focuses on withholding valuable information until a fee has been paid. If your business is content – that means the very novelty of your primary product is also at stake.

Where you’ve seen it already: Video game developer CD Projekt Red suffered a ransomware attack in February, leading to the leak of data related to its games – including an unreleased version of Witcher 3.

With the historical precedent of large fees, can you withstand multiple attacks?

You might be thinking that in the event of a ransomware attack, particularly one that demands an enormous fee, you’ll just refuse to pay. On top of the potential damages, we’ve already discussed – be prepared for additional fees that might come next.

Where you’ve seen it already: Taiwanese hardware supplier Acer refused to pay a $50M ransom in March 2021, and by October, they had faced a second attack on a local system in India.

Is ransomware prevention in your budget yet?

As the past year has shown us, no one is immune to ransomware attacks – and the pace and intensity of attacks show no signs of slowing down. In a cost-benefit analysis, taking preventive measures against ransomware wins out. However, a one-size-fits-all approach is equally a waste of money since some company assets are more critical – and carry more business value – than others. A consultative approach can help you make the correct strategic interventions to prevent ransomware attacks.

Ready to take action? Email us today at info@collectiveinsights.com

P.S. Stay tuned for Part 2 in our ransomware series, where we discuss key preventive actions you can take to secure your enterprise.