By Sam Linford, VP EMEA Channels at Deep Instinct
Ransomware has become a harrowing concern for business leaders, as attack rates and cost continue to spike across industries. It is projected that by the end of this year, annual ransomware damages will reach $20 billion.
It’s no surprise then that ransomware has come to represent one of the most financially threatening cyber risks facing organisations today. The core mechanism of such attacks makes it a very profitable method for threat actors and damaging for the victims. A single mis-click unleashes a malware that laterally moves through the network and paralyses the business by encrypting key files and systems. Then the ransom demand arrives. It has a lot of zeroes on the end.
Despite the massive financial impact of such an attack, research from Deep Instinct has found that many organisations are unprepared to deal with ransomware. Over 50% of CEOs are overoptimistic in estimating the security capabilities of the organizations and assume that their ecosystem is prepared to face such attacks. So, when ransomware breaks through, leaders are often caught off guard.
We found that executive leaders, especially key financial decision makers are dangerously disconnected on their views about how well the organisation could prepare for facing threats, bear up to an attack, and what to do if one occurs. IT Security decision makers (71%) are more likely to be aware of past ransomware attacks than Finance decision makers (55%).
How are businesses underestimating ransomware?
When a ransomware attack happens, the decision of whether or not to pay the ransom is taken based on cost quantification. Organisations need to accurately size the financial cost of downtime and data loss, and then compare it with the ransom demand. However, these assessments are often inaccurate.
Why? Because financial executives such as CFOs, who play a primary role in resource management, are often not involved in such critical financial assessments. We commissioned research with more than 200 senior decision-makers and found that only 12 percent of CFOs are actively involved in determining the organisation’s risk from cyber attacks. Consequently, we also saw that only 38 percent of the firms were confident in the accuracy of their quantified costs.
Likewise, despite the massive financial fallout of a ransomware attack and the critical decision around whether to pay up, CFOs were only involved in the final decision about ransom demands 14 percent of the time. CEOs, as well as CISOs and other technical leaders, were twice as likely to be directly involved. Furthermore, IT security decision-makers (71%) are more likely to be aware of prior ransomware attacks than decision-makers in finance (55%).
CFOs maintain the financial pillars of a company. They are often the ones that know the monetary value of most organisational resources, and they have the experienced mindset to recognise which decisions are financially sound for the organisation, and which are not. So, not including such individuals in a ransomware response decision is a rather treacherous approach. The CFO must be present if the organisation is to have any hope of getting a clear picture of its exposure to risks online, the financial repercussions of a potential breach, and the degree of risk exposure.
Accidently excluding the CFO from the process means the numbers around cyber risk often don’t quite add up. This was particularly clear in ransomware, where a firm will be given direct control of whether to pay thousands, or even millions, of pounds for the chance to restore their systems.
The true cost of ransomware
Most respondents believed they would stand firm and refuse to pay up, but those who considered meeting demands tended to underestimate how badly it might cost them. Between £500k and £1m was the most common estimate, with just 2% expecting to pay between £5-10 million.
But history suggests they’d likely end up paying far more. Among respondents that had previously paid up, the cost was most likely to be between £1-5 million, with 14% having paid between £5-10 million, and 6% going over an eye-watering £10 million. Worse, only 32% of respondents, who had paid a ransom reported receiving all their data and not experiencing a repeated attack.
There’s also a real mental impact from such attacks. We found that 41% of the respondents were worried an attack would negatively harm their future prospects, even if it wasn’t directly their fault. This concern was more prevalent among CEOs. The stress of having to deal with such incidents can have a significant toll on their mental health. The majority of the respondents were also concerned with losing the trust and respect of their co-workers, as well as the prospect of such incidents tarnishing their previous achievements and diminishing any promotion opportunities. It’s now not so hard to see why we are suffering from a ‘Great Resignation.’
The disconnect with CEOs
Estimates around the cost of ransomware might be more in line with reality if finance heads were more involved in cyber planning. We found that CFOs and financial directors were the least confident decision makers about their firms’ level of preparedness for cyber risk. Just 26% believed they could withstand an attack.
By contrast, nearly two thirds of CEOs were confident that they were well prepared to weather an attack. Similarly, 88% of CEOs stated they could quantify the loss of data, compared to just half of financial decision makers.
Now, we expect CEOs to radiate confidence and take a bold stance on their company’s capabilities. But when this confidence isn’t backed by the facts, the business can be exposed to unnecessarily high levels of risk. Also, CEOs are often only given a selective amount of information. They are not always aware of the core impact of the incident, the monetary value of the compromised resources, the potential vulnerabilities that still exist within the systems, and much more. So, they don’t have the full picture to make effective decisions.
In many cases, CEOs believed their company was undertaking more security planning and preparation than was really the case. For example, 56% of CEOs also believed their company was constantly reviewing risk plans, compared to just 32% on average for executives in other fields.
Giving everyone a seat at the table
It’s clear that many leaders exist in a bubble of misplaced confidence when it comes to dealing with ransomware and other cyber threats. When a serious attack occurs and the bubble bursts, this disconnect can mean the business suffers far greater financial losses than it needed to, from failing to mitigate the ransomware, to agreeing to massive ransoms and seeing nothing for it.
The best way to overcome this disconnect is to ensure that all business leaders are included when it comes to cyber resilience and risk mitigation. As the ultimate financial gatekeepers of the business, CFOs along with other C-suite executives should have the opportunity to share their insights and opinions about key decisions, such as security investments and whether paying a ransom demand stacks up against the cost of dealing with lost business and restoring systems.
Almost every cyber attack is financially motivated, so it’s quite conspicuous why financial leaders must have a seat at the table when having critical discussions on security and risks. Involving every business leader, including the financial heads removes a lot of the guesswork in assessing cyber risks. Their wider engagement can help organisations to make more practical and conscious decisions when faced with sophisticated attacks like ransomware.