Ransomware had another banner year, and if the weekly news stories are any indication we unfortunately don’t expect things to get better in the near future. The ransomware threat is so prevalent that it has become the top cyber exposure concern among risk professionals globally, according to the annual Allianz Risk Barometer. This ranking speaks volumes, considering that the same risk professionals identify cyber incidents overall as the biggest risk category, ahead of business interruption and natural disasters.
When SpyCloud surveyed CISOs earlier this year, we weren’t surprised to learn that ransomware was the threat that concerned them the most. However, we were surprised to find in our 2022 Ransomware Defense Report that organizations are increasingly relying on insurance to mitigate this threat: 72% of those surveyed have purchased a ransomware rider or coverage in the past year, compared to only 50% in the previous year’s survey. This indicates that many organizations may be looking for a temporary answer to the ransomware risk rather than a long-term fix. Not to mention they’re likely overlooking the fact that ransomware consequences go far beyond the material damage.
The Far-Reaching Ransomware Implications
Don’t get us wrong – the material damages of ransomware attacks by themselves can be tremendous. The average ransom alone was $812,360 last year, while the average cost of recovery was $1.4 million, according to Sophos data. IBM’s annual Cost of a Data Breach Report shows an even higher price tag of a ransomware attack: $4.5 million on average, not counting the ransom (surpassing the $4.35 million average cost of a data breach). Mitigation is not the only cost, either – 86% of organizations report losing revenue.
The potential damages inflicted by ransomware, however, don’t stop at financial costs. Unlike data breaches or other attacks that mostly unfold behind the scenes, ransomware is usually a very visible crime. That means brand reputation could take just as big a hit as the bottom line. For example, more than a quarter of organizations that experience downtime due to a cybersecurity incident say their brand reputation suffered.
While reputational damage is difficult to measure, business leaders understand that brand reputation impacts the bottom line. On average, executives across the globe attribute 63% of their company’s market value to the company’s overall brand reputation. So it makes sense that damage to brand reputation was ranked by SpyCloud survey respondents as the second greatest impact of a ransomware attack on their organization. And these concerns are not unfounded: more than 60% of ransomware victims say they’ve lost a customer, and 38% say they’ve lost multiple clients as a result of reputational damage.
Another area of the business that companies may not think about is personnel. Being in the middle of an attack is a stressful experience for everyone, and even employees not directly involved with mitigation are impacted, with 52% reporting trouble sleeping and other mental health issues. Additionally, 71% of employees say their productivity has been impacted.
These kinds of negative experiences contribute to job dissatisfaction. Whether dissatisfied employees leave the business or simply lose the enthusiasm for their job, the company’s bottom line will suffer in the long term.
Impact on SOC Personnel
While all employees feel the ripple effects of a ransomware attack, security operations center (SOC) personnel are the ones who take the biggest hit during the crisis and long after. Many organizations lack the tools that incident responders need to gain complete visibility across their entire ecosystem, and trying to find the answers in the middle of the crisis quickly becomes overwhelming. Two out of nine IT directors report that employees responding to a ransomware attack have become so jaded during the first week of ransomware response that they had to be sent home.
Remediating ransomware takes weeks and potentially months, which means SOC analysts and incident responders have to pull double duty (regular security operations and additional ransomware cleanup) for some time. By the end of the first month of response, 57% of employees directly involved in remediation experience tiredness while 25% report feelings of anger and sadness. Consequently, almost one-fifth consider leaving the job as a result of their ransomware attack experience. Given the cybersecurity talent shortage – currently estimated at 3.4 million globally – this kind of turnover puts organizations at high risk, leaving them exposed to cyber threats without adequate staffing to defend against them.
Improving Ransomware Response with Better Visibility, Automation
One of the main reasons why organizations struggle with ransomware is simply because of the gaps in their ransomware prevention strategies. Many security teams don’t have full visibility into their ransomware risks, especially risks stemming from malware-infected devices, which create open doors to corporate networks. In fact, malware-infected devices are one of the most commonly overlooked, hidden ransomware threats.
Without the understanding of the complete scope of the threat – due to their lack of visibility into all infected devices, users, and exposed applications – the SOC team simply cannot mitigate the long-term risks of ransomware. The fresh data that infostealer malware siphons off an infected device gives ransomware operators easy entry into the network. As long as this information – including the credentials and session cookies for critical workforce applications, including SSO – remains active, it can be used to target the organization.
As a result of incomplete post-infection remediation steps, the organization will remain at risk of ransomware for months and possibly longer. That’s one reason why nearly 78% of organizations report being hit with ransomware multiple times, as SpyCloud’s 2022 Ransomware Defense Report shows.
In addition to gaining visibility into malware-infected devices, applications, and users, SOC teams could greatly benefit from automation. Automated insights that provide evidence of compromise, not simply alerts, can help ransomware responders take quick remediation steps on the specific data that’s been siphoned from infected devices, rather than scrambling for hours to find a root cause and resolution.
The bottom line is, ransomware threats are a business risk. And this risk will not decrease any time soon, since cybercriminals see ransomware as a highly lucrative gig. Ensuring protection from hard-to-detect malware infections that serve as ransomware attack precursors, along with implementing comprehensive post-infection remediation, are actionable steps that any organization should consider as part of its ransomware prevention program.
