Why then do so many organizations fail to invest in security, thinking that they can pay off a hacker’s ransom or predict, many times incorrectly, the ultimate cost of a breach? Though the average is just over 1.5M, a growth of 50% in just two years, the real cost depends upon the type of data compromised – i.e., the vertical, such as finance or healthcare – the extent of the breach, and the length of time the intruder has gone undetected. And, there are both direct and indirect costs, with some estimating the overall cost of a breach at over 10% of revenue. How many organizations can afford this loss?
In fact, based on a recent study by NTT, 34% of organizations would rather pay the ransom, a low of 21% in the UK to 41% in Germany. Remember that a ransom that may not actually result in recovered data, and also has the effect of delaying the correction of the root cause. Another day, another ransom request. However, the industry is heading in a positive direction, since a year earlier, an analysis published by Trend Micro found that 75% would be willing to pay.
The problem with paying the ransom is that it usually doesn’t pay off. A study by the CyberEdge Group shows that of the 39% of ransomware victims who have paid, less than half recover their data. One interesting observation is that the number of organizations who actually pay is about half when compared to those that say they will pay. When combined with those who refuse to pay in the first place, the total data loss is on the order of 27% if an organization has been hit by ransomware.
However, with conflicting guidance even among security researchers, it is really up to the executive team at the organization to decide whether or not to pay. Panic sets in, and continuity of business or the threat of confidential data in the public domain can be the deciding factor. Still, much better not to be placed in a compromised position in the first place. But how?
A common refrain is that the organization is ‘too small’ to be subject to such-and-such breach, or that security controls are too much of a burden for employees. True, security must be usable to be effective, and a balance is required, but this balance is really about understanding the difference between being first or being first and secure. And, being too small increasingly is not an excuse if part of a larger vendor’s supply chain. There is a growing awareness of this third party risk, with contractors and temps identified in the NTT report as the weakest link by 60%, and partners / suppliers identified by 49%. There are larger issues at play as well.
The same report shows that less than half (45%) of the organizations surveyed have an incident response plan, possibly a driver for the ransoms described earlier, 41% consider all their critical data to be secure, an overestimation, and 43% believe that security is only the responsibility of IT, leading to stovepipes and lack of communications.
So, how not to fall victim?
Brian Krebs, a well-known influencer in the security space, has published three cardinal rules of online security:
Mapping these precepts to action:
While larger organizations can of course deploy more sophisticated forms of protection, but the above should serve as a baseline. That being said, why not avoid the bandage solution of simply “winging it” and hoping the organization isn’t targeted altogether and actually invest the time and money into curing the actual issue at hand – security. By doing so, organizations will be able to prevent and not remediate any types of ransomware attacks they might find themselves faced with and can come out on top.
Related: Creating An Effective Cyberattack Defense Plan—Before It’s Too Late
While rival automakers struggle against the currents of a complex market, Tetsuo Ogawa, CEO of…
What you say matters—and that’s not always a good thing.
Which technologies have captured the interest of CFOs immersed in the tech industry, and how…
With or without the psychological boost of an interest rate cut, PE investors need to…
In this edition of our Corporate Competitor Podcast, Chandran shares how leaders can tap into…
America’s CEOs are reforecasting their outlook for the year ahead, as consumer demand begins to…