Monthly Archives: March 2022

Survey: Average ransomware payment is $1 million; average incident costs $170,000

This is the second study Ponemon Institute has conducted on the devastating impact ransomware attacks have on small to large-sized enterprises. The first study was completed in 2017, and as revealed in this research, little progress has been made in mitigating the consequences of these threats. In this year’s research, the percentage of companies experiencing an attack increased from 51 percent in the 2017 study to 80 percent. Yet, 57 percent of respondents believe their companies are too small to be the target of ransomware. This has remained unchanged since 2017.

Ponemon Institute surveyed 659 IT and IT security professionals in small to large-sized companies in the United States. All respondents have responsibility for containing ransomware infections within their organization.  This study was sponsored by CBI and Check Point and conducted independently by Ponemon Institute.

The cost per incident will continue to increase, and the types of attacks will continue to evolve. What’s most striking is the vast majority of organizations are not doing enough to evaluate the security of their third parties. These findings should be a wakeup call and motivate organizations to evolve their ransomware mitigation playbooks

The following findings describe the costs and consequences of a ransomware attack.

  • Of the 80 percent of companies that experienced one or more ransomware attacks, 53 percent of respondents say the ransom was paid and averaged over $1 million. The preferred methods of payment are bitcoin and virtual currencies.
  • If companies didn’t pay a ransom, it was because they had a full and accurate backup. However, respondents also believe a full and accurate backup is not enough when experiencing a ransomware attack.
  • Of the companies that paid the ransom, it was because they could not afford the downtime and had a cyber insurance policy that covered the financial consequences of a ransomware attack. Fifty percent of respondents say the cybercriminals provided a decryption key.
  • Companies suffered financial consequences such as having to shut down for a period of time, losing customers, and eliminating jobs.
  • According to the research, an average of 14 staff members each spent 190 hours to contain and remediate their companies’ largest ransomware incident. Based on an average hourly rate of $63.50, the average cost to assign staff to deal with the incident was approximately $170,000.
  • The highest total costs resulting from a ransomware attack are from legal and regulatory actions, followed by the cost resulting from the company’s response to information misuse or theft.
  • Cybercriminals were most likely to use phishing/social engineering and insecure websites to unleash ransomware. The most compromised devices are desktops and laptops; however, since 2017, mobile devices have been increasingly being targeted.
  • Compromised devices infected other devices in the network. Very often, data was exfiltrated from the device.
  • As in the previous study, companies are reluctant to report the incident to law enforcement because of concerns about negative publicity and the potential loss of customers.

Following are the key takeaways from this research.

IoT risk awareness is rising and ransomware prevention is increasingly prioritized. Since 2017, awareness of IoT risks has risen from 58 percent of respondents in 2017 to 67 percent of respondents in this year’s research. Prevention of ransomware is becoming more of a priority, increasing 46 percent to 53 percent. Respondents say that if companies are attacked their organizations are slightly less likely to pay the ransom since 2017.

There is a lack of confidence in security controls. Companies spend an average of $6 million annually on staff and technologies meant to prevent, detect, contain and resolve ransomware attacks. However, there is only a slight improvement in confidence about security controls that prevent ransomware attacks.

Companies are increasingly relying upon third parties to deal with the prevention and consequences of a ransomware attack. Since 2017, the engagement of third parties to reduce the risk increased significantly from 58 percent of respondents to 69 percent of respondents. To remediate the incident, the use of the expertise of third parties has increased from 59 percent of respondents to 70 percent of respondents.

Despite the seriousness of ransomware, the ability to respond is low. As reported, the increase in ransomware attacks has been significant since 2017. However, the ability to respond to such attacks is very low. Companies must assess their staff, technologies, and policies to increase overall readiness.

 The severity of ransomware infections has increased over the past 12 months. Sixty-one percent of respondents say the severity of ransomware infections has significantly increased (25 percent) or increased (36 percent) since last year. In 2017, 57 percent of respondents said the severity of ransomware infections increased significantly (18 percent) or increased (39 percent) over the past 12 months.

 Companies have been receiving more ransomware alerts since 2017. As defined in this research, a ransomware alert is a notice that your system may be targeted or susceptible to a ransomware attack. These alerts are communicated via threat intelligence and law enforcement.

The number of weekly alerts has increased from 25 weekly alerts in 2017 to 34 in this year’s study. In 2017, 46 percent of these alerts were considered reliable. In this year, 51 percent are considered reliable. In a typical month, an average of 6 percent of attempted attacks trigger an alert through one or more security controls but remain undetected.

A full and accurate backup is not considered enough by 55 percent of respondents. As discussed previously, only 32 percent of respondents are confident in their security controls, indicating the need to use more effective technologies to prevent ransomware attacks.

More companies need to conduct security assessments as part of their ransomware readiness strategy. Only about half (51 percent) of respondents say their organizations regularly conduct assessments to test their ransomware prevention and recovery practices.

In some cases, cyber insurance providers are decreasing their coverage for ransomware attacks. Most companies (64 percent of respondents) do not have cyber insurance policies that cover ransomware. Of the 36 percent of respondents who say their policies cover such attacks, 40 percent say the cyber insurance provider modified its ransomware protection resulting in decreased coverage. The average annual premium for a cyber insurance policy is $17,100.

Employees are still considered the weakest link in preventing ransomware attacks. Despite employee security training awareness programs that address social engineering, spear phishing and ransomware attacks, only 30 percent of respondents are very confident (12 percent) or confident (18 percent) in their employees’ ability to detect social engineering lures that could result in a ransomware attack.

Despite the risk, only half of training programs fully cover social engineering, spear phishing and ransomware. Sixty-one percent of respondents say their companies conduct continuous employee security awareness training. Of these respondents, 92 percent say the training covers social engineering, spear phishing and ransomware attacks fully (50 percent of respondents) or some coverage (42 percent of respondents).

In addition to insider risks, companies face ransomware threats from their suppliers and third parties. Seventy-five percent of respondents say they are very concerned about the risks the supply chain poses to their company as they relate to ransomware. Only 33 percent of respondents say third parties have the necessary privacy and security practices in place to reduce the risk of a data breach involving their companies’ sensitive and confidential information.

To reduce the risk of ransomware attacks, companies need to assess the security and privacy practices of their supply chain and third parties. As discussed, 75 percent of respondents are concerned about the ransomware risks posed by third parties. However, only 36 percent of respondents say their organizations evaluate third parties’ security and privacy practices. Only slightly more than half (53 percent) of respondents say their organizations conduct an assessment of the third party’s security and privacy practices. Currently, organizations mainly rely upon a review of written policies and procedures, according to 64 percent of respondents.

Download and read the report’s full findings here. 

New podcast: Defending democracy (and us) from Big Tech

Bob Sullivan

As war rages in Ukraine, big technology companies are struggling to keep up. Thousands of small decisions are being made at breakneck speed. Think, for just a moment, about the overwhelming task of sifting through propaganda-spewing social media accounts. Make yourself a tech exec right now.  What’s free speech? What’s harassment? What’s incitement to violence? Where should we disable our service?

What if….my product makes the war worse?

These are life-altering decisions — not as real as pulling a trigger or launching a bomb, but not too far behind.  I don’t envy those fighting the disinformation war right now. It’s no secret I am a frequent Big Tech critic, but it appears to me Facebook, Twitter, Google, Microsoft, etc, are all doing the best they can under the most difficult circumstances.

Makes it hard not to wonder why these firms couldn’t have been fighting disinformation this hard all along.  (In fairness, as I see the world rise up in a global effort to care for refugees, for justice, for freedom, and against war, I think we should probably all be asking ourselves that question.)

All good intentions aside, there’s a really big question to ask, one which will be with us even after the current crisis passes: Who made Facebook, Google, and Twitter judge and jury over the digital universe? You might agree entirely with every decision these firms are making right now. But one day, you won’t.  Then what?

Whether or not you realize it, Big Tech companies are running our lives in ways unimaginable just a few years ago. They tell us what to read, where to eat, what lawnmower to buy….and in many cases what mate to marry, even what cancer treatment to get.  And at each decision, they take a cut. Tech titans have amassed incredible wealth doing this — so much money that executives are dabbling in space travel the way earlier titans bought luxury cars.

It’s one thing to be rich.  But it’s another to usurp the functions of a democratic society. Big Tech has done that, and right now, there isn’t much we can do about it. Facebook broke the law, signed a consent decree, violated the consent decree, was fined $5 billion, and….well, not much changed.  After Frances Haugen’s whistleblower testimony, Facebook  — far from humbled — started nudging more pro-Facebook content onto users’ walls. That’s power.

More important, it’s unchecked power.  The notion of checks and balances is built into the fabric of our society – of any free society. But right now, Big Tech is judge and jury in so many critical situations. When you search Twitter for news on Ukraine, or search for a vacuum cleaner on Amazon, or Google prostrate cancer, who knows why you see what you see? If your Facebook post is pulled down for a “violation,” do you really expect you’ll get a decent explanation?

These are fundamental, existential questions in a democracy.  They might have seemed academic, even a week or so ago, but our time makes it clear: Big Tech is wielding almost limitless power on our lives. Unaccountable for these decisions. That’s unhealthy.  It has to change.

That is the idea behind “platform accountability.” What can be done to create a force equal to Big Tech firms, so these companies and their leaders must answer to some kind of higher power.  Yes, we’ve seen hearings in Congress.  To date, they’ve been little more than reality TV shows.   To be really accountable, Big Tech has to run into Big Limits.

I’ve been a visiting scholar at Duke University for a couple of years, looking into these issues.  As part of that work, I am helping set up a platform accountability project at the Sanford School of Public Policy. Students and faculty there are engaged in long-term research projects examining structures that might prop up some Big Limits around Big Tech.  My first contribution to this effort is a documentary podcast I’ve been working on for many months called “Protecting Democracy (and us) from Big Tech.”  Episode 1 dropped this week: It’s called Too Big to Sue.  I hope you’ve give it a try. I feel really passionately about the need for people to pick their heads up and realize all the ways, large and subtle, that technology companies are changing our lives, changing the way we relate to each other. Maybe it’s more good than bad. Maybe it’s mostly good. But a handful of super-rich executives hiding behind keyboards and rocket ships shouldn’t be making those decisions for us.  We need to be involved. We need to have real power.

I normally release podcasts at Duke as the host of Debugger — but the school has an ongoing podcast called Ways and Means, and this series is a co-production with their team. You can find out more about the entire podcast project at Duke’s Ways and Means page here.

This is a link to the Too Big to Sue episode page.