Why then do so many organizations fail to invest in security, thinking that they can pay off a hacker’s ransom or predict, many times incorrectly, the ultimate cost of a breach? Though the average is just over 1.5M, a growth of 50% in just two years, the real cost depends upon the type of data compromised – i.e., the vertical, such as finance or healthcare – the extent of the breach, and the length of time the intruder has gone undetected. And, there are both direct and indirect costs, with some estimating the overall cost of a breach at over 10% of revenue. How many organizations can afford this loss?
In fact, based on a recent study by NTT, 34% of organizations would rather pay the ransom, a low of 21% in the UK to 41% in Germany. Remember that a ransom that may not actually result in recovered data, and also has the effect of delaying the correction of the root cause. Another day, another ransom request. However, the industry is heading in a positive direction, since a year earlier, an analysis published by Trend Micro found that 75% would be willing to pay.
The problem with paying the ransom is that it usually doesn’t pay off. A study by the CyberEdge Group shows that of the 39% of ransomware victims who have paid, less than half recover their data. One interesting observation is that the number of organizations who actually pay is about half when compared to those that say they will pay. When combined with those who refuse to pay in the first place, the total data loss is on the order of 27% if an organization has been hit by ransomware.
However, with conflicting guidance even among security researchers, it is really up to the executive team at the organization to decide whether or not to pay. Panic sets in, and continuity of business or the threat of confidential data in the public domain can be the deciding factor. Still, much better not to be placed in a compromised position in the first place. But how?
A common refrain is that the organization is ‘too small’ to be subject to such-and-such breach, or that security controls are too much of a burden for employees. True, security must be usable to be effective, and a balance is required, but this balance is really about understanding the difference between being first or being first and secure. And, being too small increasingly is not an excuse if part of a larger vendor’s supply chain. There is a growing awareness of this third party risk, with contractors and temps identified in the NTT report as the weakest link by 60%, and partners / suppliers identified by 49%. There are larger issues at play as well.
The same report shows that less than half (45%) of the organizations surveyed have an incident response plan, possibly a driver for the ransoms described earlier, 41% consider all their critical data to be secure, an overestimation, and 43% believe that security is only the responsibility of IT, leading to stovepipes and lack of communications.
So, how not to fall victim?
Brian Krebs, a well-known influencer in the security space, has published three cardinal rules of online security:
Mapping these precepts to action:
While larger organizations can of course deploy more sophisticated forms of protection, but the above should serve as a baseline. That being said, why not avoid the bandage solution of simply “winging it” and hoping the organization isn’t targeted altogether and actually invest the time and money into curing the actual issue at hand – security. By doing so, organizations will be able to prevent and not remediate any types of ransomware attacks they might find themselves faced with and can come out on top.
Related: Creating An Effective Cyberattack Defense Plan—Before It’s Too Late
In this edition of our Corporate Competitor Podcast, leadership speaker and storytelling expert Don Yaeger…
Being able to reconfigure our business model often means being willing to blow up something…
Latest Chief Executive survey of Best & Worst States for Business demonstrates upward mobility is…
Our 2024 Best & Worst States for business survey finds chief executives settling into new…
Shark Tank celebrity investor O’Leary really loves Oklahoma and other 'flyover' states while training specific…
Arlington County, Virginia, takes creative and multipronged approach to cutting its high office-vacancy rate.