Saturday, September 18, 2021

The 8 Indirect Costs Of A Ransomware Attack

 


Once again, the one story that made pretty much all of the splashes was that of Ransomware.  I wrote a blog about this weekend, in the way how insurance companies are not paying any more claims for ransom payments.

But one thing did strike me as I was posting these stories:  The financial toll that a Ransomware attack has on a business.  In the end, all we keep hearing about is the total dollar volume of the impact.  While this is of course very important, one also has to pay attention to the components that make up this number, and which impact the bottom line to the company.

So, in today’s blog, we are going to review some of these key components, but keep in mind, that this is not at all an inclusive list:

*The cost of your policy:

Just like your car and medical insurance policies, you are either paying a monthly or an annual premium on your Cyber Insurance policies.  It may or may not cover everything, so it is a good idea to take a careful review once again of what is actually covered.  My recommendation would be to get a good lawyer that specializes in this area to help you out.  For example, if there is something that should be covered and is not, they can negotiate on your behalf with the insurance company.  And remember, try to get coverage ASAP.  You won’t be covered after you have been impacted.  So whatever you are paying in premiums for this, you need to include it as an expense, because it is money out of the bottom line.

*Incident Response:

This is yet another cost if you have a dedicated team.  For instance, if your company is large enough, it is quite possible that you have a dedicated team for this specific function.  Then the cost here would be the salary and benefits that you pay these employees.  Or, if you outsourced this to a third party, such as a vCISO and their team, then the cost would the contract on which you have them engaged on.  Whoever you make use of, they need to be proactive and make sure they that there are no threat actors that are lurking on the insides of your business. Of course, they will need the appropriate scanning tools to this, and this also another cost that needs to be taken into consideration as well.

*The legal costs:

No matter what business you are in, you always need to have an attorney on hand.  They could be an in-house counsel, or even somebody that you have outsourced on an as needed basis.  Whatever it is, this is probably one of the biggest expenses that is associated with a Ransomware attack.  For example, if you are hit with one, there is a high probability that you could face some serious lawsuits from the key stakeholders in your company.  Also, you will need legal advice on how to properly report the incident to federal and state authorities so that you mitigate the risk of facing some serious financial penalties.  Also, they can be a great source of advice if you should actually pay the ransom or not.  Remember, there could be legal repercussion in case you do decide to pay up, as I mentioned in the blog from last weekend.

*Dealing with the PR aspects:

Apart from dealing with the downtime you will face with a Ransomware attack, another huge nightmare for most victims is in dealing with the public aftermath.  If you are an SMB owner, then most likely you probably do not have a dedicate Public Relations (PR) expert.  In this case, you will need to hire a reputable PR firm, that can handle all of the external communications for you, especially when it comes to dealing with the media and customers.  And this can also be a huge expense that you need to take into consideration as well.  It may be tempting to go at this on your own, but even the slightest wrong thing said can be taken immediately out of context, and be used against you, thus causing even more financial damage.  So, it is wise to hire a PR agency in this regard.

*Negotiating the ransom:

Yes, believe it or not, there is a group of professionals out there that specialize strictly in negotiating down the ransom, in case you decide to pay up.  These kinds of consultants are not cheap either, or very often bill by the hour.  The one key advantage that they do bring to the table is that they will ensure that your payment is converted accurately over to the appropriate virtual currency (most likely it will be the Bitcoin), and that it is properly received by the Cyberattacker group in question.

My Thoughts On This:

So, here are some of the key costs that you should probably take into consideration when calculating what the true cost of a Ransomware will be, even if you have not become a victim.  There are other key costs as well, which include the following:

*Indirect costs:

These mostly deal with the costs associated with the loss of brand image and existing customers and getting new customers on board.

*Costs of recovery:

This refers primarily to the time it takes to recover and bring back up online your mission critical processes and operations.  Your IT staff may not enough to handle the stress of doing this all on their own, so you may have to yet hire some external contractors to help out.

*The long term:

These are the costs that are associated with bringing your business back up to the state of normalcy like it was before it was impacted by the Ransomware attack.  Important to this is the Business Continuity Plan, which will help to ensure that this will indeed happen.

Keep in mind that as the rest of the year unfolds, unfortunately, Ransomware attacks will still occur, and will happen in ways never thought of before.  Just make sure that you and your IT Security have their guards up at all times. 

Finally more information about the costs of a Ransomware attack can be seen here at this link:

https://www.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-the-state-of-ransomware-2020-wp.pdf

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...