The High Cost of Ransomware
Companies are spending an average of $6 million annually on ransomware mitigation resources.
That’s according to CBI‘s new research report, “The Cost and Consequences of Ransomware.” Ponemon Institute conducted the research.
Eighty percent of companies surveyed have experienced a ransomware attack, despite spending millions on ransomware mitigation resources.
According to the research, the average IT security budget for 2022 is about $24.4 million. Of that, 25% is expected to be spent on preventing, detecting, containing and resolving ransomware attacks.
Only 32% are confident in their security controls, indicating the need to use more effective approaches to prevent ransomware attacks.
Shaun Bertrand is CBI’s chief services officer.
“It’s hard to remain confident when we see the success that ransomware threat actors continue to have,” he said. “Every day there is another organization that has made headlines for being compromised with ransomware. In addition, organizations are still challenged in many areas like risk visibility, phishing attacks and their ever-changing topology. Despite the investment in ransomware protections, organizations still face a grueling uphill battle.”
The report uncovered other significant takeaways relating to organizations’ approaches to and experiences with ransomware incidents:
- Seventy-five percent are concerned about the ransomware risks posed by third parties, but only 36% of organizations evaluate their third parties’ security and privacy practices.
- The average ransomware payment is approximately $1 million.
The report found that companies are spending $170,000 per ransomware incident on staffing alone, with an average of 14 staff members each spending 190 hours on containment and remediation activities. The report also uncovered a significant lack of trust in the ransomware alerts respondents receive as nearly one out of two weekly alerts are considered unreliable.
Fifty-three percent of companies who experienced an attack paid the ransom. The most common reason given was to avoid operational downtime. Of those that didn’t pay, 39% said they had an effective backup strategy. However, 55% of organizations felt that full and accurate data backups are not enough to properly mitigate a ransomware incident, likely because, in 41% of cases, sensitive data was also exfiltrated during the attack.
“There are two things organizations can do more effectively to protect themselves,” Bertrand said. “The first is to understand that ransomware attacks are evolving. From data leakage to denial of service (DoS), the adversaries are changing their approach. Organizations can stay ahead of the curve by better understanding the anatomy of these changes, and establishing effective controls and countermeasures. The second thing organizations can be do better is to not try to boil the ocean when it comes to preventing and detecting attacks. There are hundreds, probably thousands of techniques, tactics and procedures (TTPs) that malicious adversaries can leverage. Instead of trying to protect against every single technique an adversary may use, organizations should conduct threat modeling exercises to narrow down the most probable TTPs and focus detection and prevention resources on those more viable attacks.”
