A tool to make money

            Cybercriminals see ransomware as a proven and effective tool to make money, and lots of it, with pay-
            outs totaling as much as $40 million. The financial effects of ransomware are certainly becoming more
            pronounced, with more attacks targeted at supply chains and critical infrastructure, causing widespread
            disruption. The Cybersecurity and Infrastructure Security Agency (CISA) reported in February 2022 that
            it is aware of ransomware incidents against 14 of the 16 US critical infrastructure sectors.

            Despite all the warning signs, are companies underestimating the cost of recovering from such an attack?


            Industry figures suggest there is an alarming disparity between the perceived cost and the actual cost of
            recovering from a ransomware attack among security professionals. Our own survey shows that the
            average perceived cost is $326,531, with insurance pay-outs extending up to an average of $555,971.
            Industry figures, however, show that the average total cost of recovery from a ransomware attack was
            $1.4 million in 2021.

            It was encouraging to see that three-quarters of respondents have cyber insurance, although one in four
            (24%) do not have any insurance or don’t know if they do.

            So,  with  current  insurance  pay-outs  unable  to  cover  even  half  of  the  average  cost  to  recover  from
            ransomware,  many  firms  will  be  under  huge  financial  pressure  if  they  are  hit,  particularly  smaller
            businesses that may lack the resources and expertise to manage it.


            Our research also highlighted some other serious concerns, notably that threats are outpacing security
            teams.

            When we asked security professionals what keeps them awake at night, 41% said they worry about
            ransomware attacks evolving beyond their team’s knowledge and skillset, while a similar percentage
            (39%) worry about them evolving beyond their company’s security capabilities.

            Their biggest concern, however, is the risk of employees ignoring corporate advice and clicking on links
            or attachments containing malware. In fact, they worry more about this than they do their own job security,
            with just a quarter worried about losing their job.



            Ransomware demands – to pay or not to pay?

            There is also some debate in the industry around how best to deal with ransomware demands according
            to  our  research.  One  in  three  security  professionals  said  they  were  worried  about  paying  a  ransom
            demand and not getting their data back, but 65% would still pay.

            Interestingly, around a third said it was down to their insurance company to pay it, and around one in five
            (18%) said the government should pay. More than a quarter (27%) of security professionals would never
            pay a ransomware demand.

            Paying a ransomware demand clearly depends on an organization’s level of preparedness. Do they have
            the right processes in place and strong backup and recovery? If so, they won’t need to pay it. According





            Cyber Defense eMagazine – September 2022 Edition                                                                                                                                                                                                         133
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.