Ransomware attacks — a type of digital crime in which the hacker locks up a business’s systems and demands a ransom payment to restore access — are on the rise. Attacks on large corporations like Colonial Pipeline, Kaseya and JBS Meat Company have dominated recent headlines, but small and mid-sized businesses are also being targeted.
This article outlines the risks businesses face and some specific controls you can implement to create more robust defenses against ransomware and other cyberattacks.
Cybercrime is a huge and profitable enterprise, and most hackers have a purely financial motivation. According to the Ponemon Institute’s 2021 Cost of a Data Breach Report, the average total cost of a data breach is now $4.24 million, with ransomware attacks averaging an even more painful $4.62 million.
Victims of ransomware often don’t regain access to their files after paying the ransom, and businesses that refuse to pay end up spending millions of dollars to rebuild their data. (To reduce the flood of business-disrupting cyberattacks, the federal Cybersecurity and Infrastructure Security Agency recently appointed a new director, Jen Easterly, to lead efforts to fight cybercrime. Easterly has extensive corporate and military experience in intelligence and cyber operations.)
Even a minor breach can carry a hefty price tag. According to Ponemon, the average cost per lost or stolen record was $161 across all data breaches. Some hourly expenses, such as legal fees, accrue regardless of the number of records that are affected. A breach can also damage your organization’s reputation and value.
In most cases, breaches are crimes of opportunity, rather than targeted attacks on a specific company. The weak link in the security chain is usually a person. The 2021 Verizon Data Breach Investigations Report found that 85% of breaches involved a human element.
The most prevalent form of attack is phishing schemes, which infect a system with malware or ransomware when the user unwittingly opens a malicious attachment or clicks a link in a legitimate-looking email. Malware is used to steal data and then sell it on the black market, where each stolen record may bring anywhere from a few cents to hundreds of dollars, depending on what it contains and how the buyer can use it.
As the volume of available data continues to multiply and data becomes increasingly connected, the threat will only keep growing. On top of that, larger remote workforces have made businesses more susceptible to attacks, increasing both the cost of a breach and the time needed to identify and contain it.
The good news? There is a lot you can do to safeguard your data, without making large expenditures on technology.
You can greatly mitigate your risk, often within weeks, by implementing these basic cybersecurity steps:
As your business changes, your risks change, so you should reassess your situation annually. If you have an existing enterprise risk management (ERM) program, you can leverage it and fold in your cybersecurity processes.
Ongoing board involvement and oversight is also important to your cybersecurity efforts. Evaluate your board composition and update it, if necessary, to add someone with data security expertise, and redefine your board committees to include cybersecurity responsibilities. You also need to establish proper governance and board oversight of your cybersecurity processes and strategy.
Ransomware and other cyberattacks can be detrimental to your company’s reputation, customers and overall bottom line. The consequences are usually severe, and there is no guarantee that your business will get its data back after the sum is paid.
Although there is no way to completely prevent a breach, a strong cybersecurity program can help you mitigate your risks and be better prepared to respond to an attack. As the old saying goes, an ounce of prevention is worth a pound of cure.
Contact our cybersecurity team to learn more about strengthening your defenses against cyberattacks or to take the first step with a cybersecurity evaluation.