Guest Post: The Real Answer to the Question “What’s Our Risk from Ransomware?”

Quick – someone from your organization’s senior leadership team asks you a simple and straightforward question: “What’s our risk from ransomware?”

How do you respond?

While the technical details and trends of ransomware are interesting and important for subject-matter experts, what the senior leadership team ultimately wants to understand is the risk.

Security professionals (as well as high-tech media, solution providers, and industry analysts) often confuse technical information about threats, vulnerabilities, exploits, and information technologies with risk, and commonly use these terms interchangeably — but they are not synonymous with risk. This kind of technical information is about the “who,” “what,” and “how” of ransomware. Risk, on the other hand, is about the all- important “so what.”

Risk, as properly defined, is always about “how likely is a successful ransomware attack to occur” for our organization, and “how much is the corresponding business impact.” If we’re not talking about how likely and how much business impact, we’re not really talking about risk.

So by all means – based on what you know about who asked the question, your response might need to include some high-level background information, such as a definition and a summary of recent trends:

  • Ransomware refers to malicious code designed to gain unauthorized access to data, and encrypt the data to block access by legitimate users. Attackers then demand that victims pay a ransom, in exchange for the key to decrypt and recover their own data.
  • Today, technically sophisticated and financially motivated attackers are constantly evolving and adapting their deployment of ransomware — to evade the protection mechanisms put in place by the defenders, and to maximize their own return on investment. Technical trends currently include high growth in new ransomware variants, as well as increased targeting of mobile devices, connected devices (i.e., IoT), servers, and cloud-based services in addition to traditional enterprise endpoints.

But then, it’s time to get to quickly to what they really want to know when they asked you the question – how likely is a successful ransomware attack to occur, and how much is the business impact if it does?

Breaking Down the Risk of Ransomware: How Likely?

From a variety of public sources, we can readily provide a sense of several key factors for the likelihood side of the risk of ransomware, e.g.:

  • More than half of enterprises report that they’ve experienced at least one ransomware attack during the previous 12 months.
  • Of those who were attacked, most are attacked more than once.
  • Most ransomware attacks impact traditional enterprise endpoints — although increasingly they are also impacting the data on mobile devices, connected devices (i.e., IoT), on-premises servers, and cloud- based services.
  • About two-thirds of ransomware attacks are successful in infecting at least one endpoint.
  • More than half of successful ransomware attacks subsequently expand to infect more than one endpoint.
  • Few organizations pay the ransom to recover their data — almost all can restore from backups.

Breaking Down the Risk of Ransomware: How Much Impact?

Similarly, we can explain that the business impact side of ransomware has several potential factors, including:

Lost productivity of users and responders — i.e., the extent to which users are unable to do their jobs during the time their data is encrypted and unavailable. To date, such non-availability has been the primary business impact of ransomware.

Loss or exposure of sensitive data — i.e., the extent to which ransomware results in a data breach, with its associated costs, fines, and / or penalties. To date, attackers have generally not been exfiltrating the encrypted data, just holding it for ransom and more immediate financial gain.

Loss of current revenue — i.e., the extent to which data being encrypted and unavailable disrupts the generation of revenue during the time of disruption.

Loss of future profitability — i.e., the extent to which the organization’s handling of the ransomware attack results in lower revenue (e.g., customers take their business elsewhere) or higher costs (e.g., higher marketing expenditures required to attract and retain new customers).

Key factors contributing to the annualized business impact of ransomware attacks also include the number of devices and users who may be affected, the total volume of data to be recovered, and the total time-to- recover.

The Real Answer to the Question: What’s Our Risk from Ransomware?

If you’re already laying out the factors of likelihood and business impact in response to questions like this, good for you!

Even better, however, is taking the next step, and using these factors to quantify the risk of ransomware, e.g., “it’s 10% likely that the annual business impact will exceed $2.5M.” Now this is a response that will actually help the senior leadership team make a better-informed business decision about risk.

To learn more about what this looks like (and how to do it), check out this upcoming webinar (featuring Aberdeen and Druva) on March 19th, 2019, “Breaking Down the Relentless Risk of Ransomware.”