Written by Robert Vescio, Chief Analytics Officer SSIC.
Let us start with some data…
According to the US Federal Bureau of Investigations, in 2020 over 4,000 ransomware attempts were carried out *daily*
The average cost of remediating a ransomware event is $760,000 (source: Sophos)
The average downtime due to a ransomware event is 19 days (source: Coveware)
26% of ransomware victims pay the ransom, and even after paying, some (1%) never get their data back (source: Sophos, Coveware and Sonos)
For 2021, experts predict that there will be a ransomware attack every 11 seconds, with the global impact of ransomware projected to top $20B in losses and costs (source: Cybercrime Magazine)
It may be a bit unnecessary to state, but ransomware is creating a material economic challenge for companies all over the world, and business leaders are appropriately concerned. Is your company truly ready to manage the risk of ransomware?
Most technology teams have a strong command of what ransomware is, how it works, and even have ideas on technical approaches to prevent it. The challenge is not the technical understanding of the problem, the challenge is that most technology teams cannot “sell it” – they struggle with building the business-related perspectives showing where and how expensive a ransomware attack would be. Additionally, there are currently no cybersecurity-related compliance or regulatory requirements that mandate any activities relating to the prevention of or minimization of impacts due to ransomware (Compliance has been the “hammer” for most cybersecurity investments over the last 15 years, used to justify millions of cyber budget dollars). Absent the “so what?” elements of the argument, technology teams and CISOs struggle to build business context and actionable decisioning to address ransomware.
To be fair, ransomware is a complicated problem. There are talented threat actors that have gotten a taste of success extorting vast amounts of money from their victims. There is a myriad of tactics – including phishing, reputation extortion, and now even “R DDoS” (ransomware-distributed denial of service) that the threat actors employ to coerce their targets into paying them money. To combat this, CISOs and technology teams need to be at the top of their game – as it only takes one mistake for an attacker to gain their initial foothold… one person clicking on the wrong link, one server not patched yet, one mission critical system in the middle of an upgrade and the attacker has a weakened starting spot to stage their attack. It can seem overwhelming.
The successful approach to managing through the exposures of ransomware starts months before an attack occurs. Organizations need a deep understanding of the potential impacts that ransomware might have on their business – operationally and financially. They need a clear understanding of the deployed cyber technological capabilities and their effectiveness to meet the technical challenge. They need to understand the impact of the specific cyber threat landscape related to their business. Added with those, they need to have a view of the financial exposure that could arise because of a ransomware event. Armed with these three areas of insight, business leaders can get ahead of significant ransomware losses.
X-Analytics Enterprise steps up to meet this challenge. As the premier cyber risk decisioning application, X-Analytics Enterprise can help businesses better prepare themselves for the exposures and potentially minimize the impacts due to ransomware attacks through better decision support.
X-Analytics Enterprise provides…
The probability and projected monetary impact of ransomware attacks across an enterprise and within various business units; monetary impacts include projections for technical and business recovery costs, legal and communication expenses, service level agreement impacts for existing contracts, and other costs related to responding to ransomware attacks,
A detailed view of the technological control area effectiveness most relevant to preventing ransomware – along with projected cyber risk reduction improvements associated with proposed capability enhancements,
A dynamic, calibrated, and regularly updated model that incorporates changes to the cyber threat landscape and financial variables based on actual market experiences and company changes, and
Easy to understand dashboards for the current cyber-related financial risk, program trending history, and projections for risk transfer (cyber insurance) expectations.
Armed with X-Analytics insights, business leaders can optimize cyber-related investments to meet their business goals and expectations, and minimize the impact of ransomware to their business.
All X-Analytics products leverage SSIC’s patented and validated X-Analytics cyber risk decisioning application. X-Analytics is trusted within the global insurance industry to underwrite billions of dollars of global cyber risk financial exposure and leading corporations to maximize the effectiveness of their cyber risk decisions.
Based in the Washington, D.C. area, Secure Systems Innovation Corporation (SSIC) is a cyber risk analytics firm whose mission is to improve how businesses manage cyber risk using financial analytics. X-Analytics is a patented and validated cyber risk decisioning platform that is changing how executives, boards and the risk management industry understand and manage cyber risk. For more information, please visit https://www.x-analytics.com.
Secure Systems Innovation Corporation (SSIC)
Kyle Ferguson, +1 703-351-5245