Companies are always absorbing costs that are seen as par for the course of budget planning: maintenance, upgrades, office supplies, wastage, shrinkage, etc. These costs ratchet up the price of a company's products and are then passed on to the consumer. Breaches in cybersecurity and paying out ransoms to hackers should be outside of this remit, and yet more than half of all companies admit to transferring the costs of data breaches on to consumers. Careless or ill-informed employees and other weaknesses in a company's protections lead to catastrophic losses to businesses of around $1,797,945 per minute — and the consumers are paying it off.
Feeding the Virus
If a company estimates the recovery costs from a ransomware attack to exceed the requested payment from the hacker, then it feels like a no-brainer — they're better off just cutting their losses and giving in to the cybercriminal's demands. The issue is that this creates an unvirtuous circle of paying the hacker, which enforces nefarious behavior and empowers hackers to increase the number and volume of ransoms.
When it comes to ransomware, 32% of companies pay off hackers, and, of that percentage, the average company only retrieves about 65% of its data. Giving in to hackers is counterintuitive. On an even more disturbing note, one study found that 80% of companies that paid a ransom were targeted a second time, with about 40% paying again and a majority of that 40% paying a higher ransom the second time round. This is ludicrous. With 33% of companies suspending operations following an attack, and nearly 40% resorting to laying off staff, it comes as no surprise that the downstream costs are picked up to some extent by the consumer.
Targeting the Weaker Defenses
As for smaller companies, about 50% of US small businesses don't have a cybersecurity plan in place, despite the fact that small businesses are three times more likely to be targeted by cybercriminals than larger companies. An average breach costs these companies around $200,000 and has put many out of business. It isn't simply the cost passed on to consumers, it's also the intangible assets, such as brand reputation.
When data is leaked and a site goes down, customers become rightly anxious when their information is sold to the highest bidder on the Dark Web. To safeguard against this, companies of all sizes should exploit automated solutions while training every single member of staff to recognize and report online threats. Paying a ransom does not guarantee the return of data, and for a smaller business, losing valuable customer information could cause long-term damage way beyond the initial attack.
Forearmed Is Forewarned
Cybersecurity professionals, governments, and law enforcement agencies all advise companies to avoid paying the hackers' ransoms. This strategy is affirmed by the success businesses have had in retrieving the stolen data and turning the lights back on — 78% of organizations who say they did not pay a ransom were able to fully restore systems and data without the decryption key. This evidently is not enough to reassure companies who, at the click of a dangerous email being opened, have lost sensitive information and access to their systems and are desperate to get back online. There are many preventative techniques businesses can take advantage of before it even gets to that stage.
Cybersecurity insurance is a way of mitigating financial damage associated with an attack, although a company must meet strict security eligibility requirements to qualify for coverage. This can include ensuring the implementation of measures such as multifactor authentication, endpoint detection and response, privileged access management, and patch management. A more cost-effective and equally necessary route is to conduct a company-wide exercise mimicking an attack — this can highlight frailties in the system. Before ever depositing a cent into a hacker's bank account, a company might consider employing a ransomware negotiator on retainer. Whether negotiation services are available should be determined well in advance in the incident response plan.
Plan Before You Pay
Cybersecurity costs are now considered inherent to running a company — and therefore they are referred straight to the consumer. There is no foolproof method for anticipating or preventing ransomware attacks, but there needs to be a real adjustment in how companies deal with them and where the final payment is shifted to.
Paying the piper emboldens the criminal syndicates behind the hackers and only serves to buttress ransom demands, opening the door to more attacks and burdening the consumer with higher prices. Businesses must assess their security perimeters more diligently, as ensuring stronger in-house defenses is integral to retaining customer loyalty, as well as to the survival of the company itself.