Quick – someone from your organization’s senior leadership team asks you a simple and straightforward question: “What’s our risk from ransomware?”
How do you respond?
While the technical details and trends of ransomware are interesting and important for subject-matter experts, what the senior leadership team ultimately wants to understand is the risk.
Security professionals (as well as high-tech media, solution providers, and industry analysts) often confuse technical information about threats, vulnerabilities, exploits, and information technologies with risk, and commonly use these terms interchangeably — but they are not synonymous with risk. This kind of technical information is about the “who,” “what,” and “how” of ransomware. Risk, on the other hand, is about the all- important “so what.”
Risk, as properly defined, is always about “how likely is a successful ransomware attack to occur” for our organization, and “how much is the corresponding business impact.” If we’re not talking about how likely and how much business impact, we’re not really talking about risk.
So by all means – based on what you know about who asked the question, your response might need to include some high-level background information, such as a definition and a summary of recent trends:
But then, it’s time to get to quickly to what they really want to know when they asked you the question – how likely is a successful ransomware attack to occur, and how much is the business impact if it does?
From a variety of public sources, we can readily provide a sense of several key factors for the likelihood side of the risk of ransomware, e.g.:
Similarly, we can explain that the business impact side of ransomware has several potential factors, including:
Lost productivity of users and responders — i.e., the extent to which users are unable to do their jobs during the time their data is encrypted and unavailable. To date, such non-availability has been the primary business impact of ransomware.
Loss or exposure of sensitive data — i.e., the extent to which ransomware results in a data breach, with its associated costs, fines, and / or penalties. To date, attackers have generally not been exfiltrating the encrypted data, just holding it for ransom and more immediate financial gain.
Loss of current revenue — i.e., the extent to which data being encrypted and unavailable disrupts the generation of revenue during the time of disruption.
Loss of future profitability — i.e., the extent to which the organization’s handling of the ransomware attack results in lower revenue (e.g., customers take their business elsewhere) or higher costs (e.g., higher marketing expenditures required to attract and retain new customers).
Key factors contributing to the annualized business impact of ransomware attacks also include the number of devices and users who may be affected, the total volume of data to be recovered, and the total time-to- recover.
If you’re already laying out the factors of likelihood and business impact in response to questions like this, good for you!
Even better, however, is taking the next step, and using these factors to quantify the risk of ransomware, e.g., “it’s 10% likely that the annual business impact will exceed $2.5M.” Now this is a response that will actually help the senior leadership team make a better-informed business decision about risk.
To learn more about what this looks like (and how to do it), check out this upcoming webinar (featuring Aberdeen and Druva) on March 19th, 2019, “Breaking Down the Relentless Risk of Ransomware.”