Understanding The True Financial Risk of Ransomware Attacks

By Mark Guntrip, Senior Director of Cybersecurity Strategy at Menlo Security

The European Union Agency for Cybersecurity (ENISA) recently defined today’s threat landscape as the “golden era of ransomware”. Ransomware has become one of the biggest cybersecurity threats facing organizations today in any industry and any market – and unfortunately, it is only likely to get worse.

According to research that Menlo Security recently undertook, a third of organizations (500+ in the US and UK) said they experience ransomware attacks at least once a week, with 9% experiencing them daily. Over half (53%) of respondents to our survey admitted that their company has been the victim of a ransomware attack in the last 18 months.

The shift to remote and hybrid working models has expanded the attack surface, opening up a host of new vulnerabilities, attack vectors and entry points into the corporate network.

Combined with this is the development by attackers of new and ever more sophisticated techniques. We have seen a surge in attacks known as Highly Evasive Adaptive Threats (HEAT), designed to bypass detection from traditional security tools like sandbox analysis and phishing detection solutions.

A tool to make money

Cybercriminals see ransomware as a proven and effective tool to make money, and lots of it, with pay-outs totaling as much as $40 million. The financial effects of ransomware are certainly becoming more pronounced, with more attacks targeted at supply chains and critical infrastructure, causing widespread disruption. The Cybersecurity and Infrastructure Security Agency (CISA) reported in February 2022 that it is aware of ransomware incidents against 14 of the 16 US critical infrastructure sectors.

Despite all the warning signs, are companies underestimating the cost of recovering from such an attack?

Industry figures suggest there is an alarming disparity between the perceived cost and the actual cost of recovering from a ransomware attack among security professionals. Our own survey shows that the average perceived cost is $326,531, with insurance pay-outs extending up to an average of $555,971. Industry figures, however, show that the average total cost of recovery from a ransomware attack was $1.4 million in 2021.

It was encouraging to see that three-quarters of respondents have cyber insurance, although one in four (24%) do not have any insurance or don’t know if they do.

So, with current insurance pay-outs unable to cover even half of the average cost to recover from ransomware, many firms will be under huge financial pressure if they are hit, particularly smaller businesses that may lack the resources and expertise to manage it.

Our research also highlighted some other serious concerns, notably that threats are outpacing security teams.

When we asked security professionals what keeps them awake at night, 41% said they worry about ransomware attacks evolving beyond their team’s knowledge and skillset, while a similar percentage (39%) worry about them evolving beyond their company’s security capabilities.

Their biggest concern, however, is the risk of employees ignoring corporate advice and clicking on links or attachments containing malware. In fact, they worry more about this than they do their own job security, with just a quarter worried about losing their job.

Ransomware demands – to pay or not to pay?

There is also some debate in the industry around how best to deal with ransomware demands according to our research. One in three security professionals said they were worried about paying a ransom demand and not getting their data back, but 65% would still pay.

Interestingly, around a third said it was down to their insurance company to pay it, and around one in five (18%) said the government should pay. More than a quarter (27%) of security professionals would never pay a ransomware demand.

Paying a ransomware demand clearly depends on an organization’s level of preparedness. Do they have the right processes in place and strong backup and recovery? If so, they won’t need to pay it. According to our report, however, less than half (45%) of businesses implement a data backup or recovery plan as the first step in the event of a ransomware attack.

This could result in an organization being unable to function as normal, access data, or worse, the impact and damage is likely to bring down the business. If this is the case, that’s when the business needs to seriously re-evaluate its options. Now is the time to re-examine security infrastructure to make sure attacks can be prevented before they even happen.

About the Author

Mark Guntrip is Senior Director of Cybersecurity Strategy at Menlo Security, responsible for articulating the future of threats to security leaders around the world. Prior to joining Menlo Security, Mark has been security strategist at Proofpoint, Symantec, Cisco, and several other leading cybersecurity providers.