7 unexpected ransomware costs

Indirect costs related to a ransomware attack can add up over time. These are the expenses and financial risks that CISOs should be aware of.

A U.S. dollar sign casts a question mark shadow.
Sinemaslow / Getty Images

Ransomware is one of the fastest-growing cybersecurity attacks. One of the factors that makes these threats especially intimidating is that the costs can be far-reaching. An August 2021 report from security consultancy NCC Group shows that the number of worldwide ransomware attacks analyzed by the firm’s Research Intelligence and Fusion Team increased by 288% between the first and second quarters of this year, “with organizations continuing to face waves of digital extortion in the form of targeted ransomware.”

While it’s common knowledge that ransomware can be expensive for the companies victimized by them—with costs tending to focus on lost business, ransom paid, consultant fees, etc.—there are also lesser-known financial impacts. Following are some of the unexpected costs, both direct and indirect, of a ransomware attack. Some are not related to security, but CISOs and other security leaders need to be aware of these potential costs when it comes to justifying investments in security that could protect against ransomware.

1. Keeping the business running

Following a ransomware attack, maintaining business continuity can be a big expense, says Allie Mellen, an analyst at research firm Forrester. “Successful ransomware attacks can affect business operations for days, weeks, or months,” she says. “If none of your employees can log onto their business accounts or access their business data, they can’t do the vital work needed to support the business.”

Ransomware recovery costs run on average ten times the cost of the ransom payment, says Christopher Rence, former chief data, compliance, security, and risk officer at Equus Holdings and now president and CEO of Rimage. Recovery and continuity “is where the rubber hits the road,” he says. “Most companies do not know where all of their data is. They do not know if it is fully backed up or [backed up] at all until the recovery process starts.”

Following recovery, companies that have been compromised do not feel they are out of danger, Rence says. “It can take a company, depending on the data complexity, up to 12 months to fully recover,” he says. “The skills needed to continue the recovery and ongoing due diligence are outside of the skills of most IT teams, leaving them vulnerable for years to come.”

2. Higher cyber insurance fees

Many organizations carry insurance policies against cybersecurity attacks these days, which of course makes sense considering what’s potentially at stake in terms of the financial impact of such an intrusion. One of the possible consequences of experiencing a ransomware attack is increased insurance fees. Furthermore, the amounts recovered from policies might not be as high as expected.

“Insurance companies are moving quickly to limit their payouts, and premiums are increasing,” says Pete Lindstrom, vice president of research, enterprise/next-generation security, at research firm International Data Corp. (IDC).

Organizations should work with their insurance brokers and any other companies that are part of their policies to find out how they can keep costs down. “After an event, the insurance companies are doing full due diligence to make sure you had followed the processes, the training, and the actions” of employees, Rence says.

3. Loss of customer trust

Although difficult to quantify, the loss of customer trust following a ransomware attack can be a significant issue. “In the event of a ransomware attack, customers may be unable to access customer support, sales, or any other functions in the business, leading to loss of sales, prospect and customer frustration, and a feeling that the business is simply unreliable,” Mellen says.

Even if customers lose the sense of trust for a brief time, that could do damage. This loss of trust not only affects existing clients, but prospective new customers as well. It can be a particularly troublesome problem if the ransomware attack involved customers’ personal information being exposed. The trust issue can also extend to business partners such as suppliers, service providers, consultants, and others.

4. Marketing and PR investments

Related to the loss of trust is the marketing and public relations effort and investment needed to rebuild that trust and the organization’s reputation.

A significant trend identified by NCC Group in its study is the prevalent issue of ransomware gangs threatening to leak the stolen sensitive data of non-paying victims to damage organizational reputation.

This additional pressure to force a payout is known as “double extortion,” which is an increasing tactic used by threat actors, according to the firm. “It takes added expense on the behalf of the marketing team and the rest of the organization to recover their reputation and to prove to customers and prospects that the business is trustworthy, reliable, and available,” Mellen says.

These efforts might not only involve the creation of news releases and updates, but advertising, social media initiatives, interviews with the media, and speaking engagements. All of these take time that could have been spent on more productive endeavors.

5. Risk evaluation by partners

Another added expense that is increasing over time is the costs of evaluation by partners and customers for third-party risk, Mellen says. “Every time a business is breached, businesses that partner with or are customers of another business must evaluate how they are vetting other organizations and what additional standards they must hold them to,” she says. “As these processes become more defined and more common across industries, it will inevitably raise costs on the business to ensure compliance with these rising standards.” 

6. Loss of skilled workers

Damaging ransomware attacks can result not only in the loss of customers and partners, but employees as well. Some of the attrition could involve difficult-to-find technical skills such as those related to security, data analytics, and other areas. Some people do not want to be associated with a company that has been compromised, Rence says.

The cost of replacing these skills is high, Rence says, especially since recruitment efforts might have to be even more aggressive and compensation might need to be a bit higher. In some cases, companies lose skills because they are forced to eliminate jobs after an attack. A study on ransomware impact by security company Cybereason, which is based on a survey of 1,263 cybersecurity professionals worldwide conducted in April 2021, showed that 29% of the respondents said they had to cut jobs because of a ransomware attack.

7. Societal costs

The costs of ransomware attacks can extend well beyond those incurred by the victimized organization. “The real cost here is the societal cost that we all share whenever a company decides to pay the ransom,” Lindstrom says. “Luckily, that isn’t often and has its own set of significant risks, but these attacks that lead to direct cash payments are so lucrative to attackers that it perpetuates the attacks on others.”

The economic costs to business revolve around those who decide to pay the ransom, Lindstrom says. “It may be the most expedient way to keep costs down for any individual organization, but it increases the attacker benefits and therefore the risk to everyone else,” he says. “Given that the ransomware world has developed an ecosystem complete with brokers, insurance options, etc., more conflicts of interest arise between addressing any single situation versus doing what is best for the entire world.”

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline