Like any business decision, handling ransomware needs to be approached with ROI in mind. Is it better to invest in ransomware-preventing technology, or is the risk sufficiently low?
There is no question that ransomware is a big issue. It is predicted that a different business will fall victim to a ransomware attack every 14 seconds in 20191. And it is costly: an estimated $5 billion was paid out by organization in 2017 as a result of ransomware attacks2. Despite all this, 44% of organizations have not implemented any kind of security software that blocks ransomware3.
The cost of a ransomware attack
The cost of falling victim to a ransomware attack be either the amount of the ransom or the expense to recover the lost files. To figure out the risk-adjusted cost of not implementing preventative ransomware security software, let’s take a look at a few factors.
1. How expensive is the ransom?
An Internet Security Threat Report analysis of ransomware code deployed in 2017 determined that the average ransom demanded in a ransomware attack is $544 per infected user4. Let's round that number. The risk adjusted cost of a ransomware attack, if you pay the ransom is a simple calculation,
employees x $500 = your cost of ransom
This does not take into account external costs associated with a ransomware attack. 69% of organizations that suffered an incident reported adverse effect on their revenue and 67% reported a hit to their company’s reputation5. AP Moller-Maersk a Danish shipping company predicted the Petya ransomware attack cost them $200-300 million in lost revenue6.
2. What is the total cost of recovery?
If you do not pay the ransom, the cost of recovery can be higher. Estimates vary widely, but according to the 2017 Cost of Cyber Crime study7 it ranges from $436 to $1,726 per employee. If we assume the number is somewhere in the middle ($1,000), then you can calculate your risk adjusted cost of a ransomware attack using the following,
employees x $1,000 = recovery cost of not paying ransom
Again, this does not include the external price of an attack. Hits on revenue and reputation do not go away when you do not pay the ransom, and because the expense and security risks of an attack are considered material, public companies cannot avoid reporting them to shareholders. For most organizations, the loss of trust and reputation continues to hit their bottom line long after the attack itself is resolved.
3. How likely are you to fall victim to an attack?
In 2017, most every company with an email address was targeted with ransomware, but the likelihood of falling victim seems to largely depend upon company size. According to the 2017/18 Global Fraud and Risk Report8, 70% of executives from large enterprises reported their organization has had a cybersecurity incident in the past year. Of those executives who had an incident, 18% said their organizations were victims of ransomware attacks.
70% large enterprises had a cybersecurity incident x 18% were victims of ransomware =
12.6% of large enterprise organizations were victims of ransomware attacks
1 in every 8 large enterprise organization will fall victim to a ransomware attack in a given year. For smaller and medium sized businesses the number is much higher with 45% of organizations experiencing a ransomware attack in the past 12 months9.
1 in 8 will fall victim to ransomware
For Small or Medium Businesses
45% will experience an attack
After you fall victim to an attack, the outlook is even more grim. Half of organizations who have fallen victim to a ransomware attack will be attacked again10.
4. Calculating risk adjusted cost of a ransomware attack
Accountants use the risk-adjusted cost of future events to determine whether to spend money on preventative measures, buy insurance, or do nothing at all. For example, the risk-adjusted cost of a fire (high cost, reasonable likelihood) makes it cost-effective to buy an insurance policy.
For Enterprise (Annual)
risk-adjusted cost = (employees x $1,000) / 8 = $125 per employee
For Small or Medium Businesses (Annual)
risk-adjusted cost = (employees x $1,000) x 45% = $450/employee
Calculating the risk-adjusted cost of ransomware makes it easy to determine if it is worth investing in prevention. If you are a small business with 40 employees, the risk-adjusted-cost of ransomware is $22,500 per year. For a large organization, it is worth spending up to $125 per employee each year on ransomware prevention. In all cases, if you can find malware protection tools priced less than the risk-adjusted cost of a ransomware attack, it is worth investing.
From a financial perspective, choosing to forego the use of a preventative ransomware solution is extremely expensive. With a few simple calculations it becomes clear that a small investment now can save you money in the long run. Because the prevalence and costs of ransomware attacks continue to grow each year, the math will only make it more urgent to seek preventative tools now.
1 It is predicted that a different business will fall victim to a ransomware attack every 14 seconds in 2019. [source]
2 An estimated $5 billion was paid out by organization in 2017 as a result of ransomware attacks. [source]
3 44% of organizations have not implemented any kind of security software that blocks ransomware. [source]
4 The average ransom demanded in 2017 was $544 per infected user [source]
5 69% of organizations that suffered an incident reported adverse effect on their revenue and 67% reported a hit to their company’s reputation [source]
6 AP Moller-Maersk said Petya attack will cost them between $200-300 million in lost revenue. [source]
7 Cost per seat in recovery from an attack [source]
8 70% of executives report their organization had a cybersecurity incident in 2017, 18% of those reported they were victims of a ransomware attack. [source]
9 45% of SMBs were victims of ransomware attack in past 12 months [source]
10 Half of ransomware victims suffer repeat attacks [source]
11 46% of ransomware attacks infect through spam and phishing emails. [source]