As we finish out the year, here are some thoughts on the cost of ransomware.
The cost of ransomware keeps growing
In 2018, analysts at Cybersecurity Ventures predicted ransomware damages would grow from US$325 million in 2015 to US$20 billion by the year 2020. Those numbers may have seen astronomical at the time. That same firm is has now updated its forecasts to predict that ransomware attacks will cost a total of US$325 billion by 2031.
Is this just being alarmist? It’s hard to tell, given that the details of many ransomware attacks may go unreported. And frankly, big numbers like this are scary, but are not particularly informative.
Even the “average” cost of a ransomware attack, as reported this year in an IBM report at US$4.54 million, is presumably accurate – IBM does good research – but again, what does that mean?
And what is the real impact? Presumably, some of these companies have ransomware insurance. So how much actual damage is done?
Two examples surfaced in the past week or so that brought this into a real focus. Rackspace, a U.S. hosting company has been battered by an attack that has had severe consequences. Likewise, a Canadian grocery company has also been hit hard by a recent attack. In each case, we can see some of the real impacts – many of which are not covered by ransomware insurance.
Rackspace – a tiny portion of revenue, an enormous cost
TWiR reported last week that Rackspace tried to reassure investors after its email hosting outage with a statement that the revenue from the affected area is less than one per cent of overall company revenue. Further, the company had ransomware insurance.
These statements were not sufficient to keep the company’s share price from plummeting. Despite how little revenue was affected, share prices dropped by 30 per cent.
Last week, the other shoe dropped, as the company is reported to be facing a potential class action suit for “carelessness and linked infringements arising from the email hosting provider’s recent high-profile data breach.”
Empire supermarket chain estimates uninsured cost of recent attack at $25 million
Another company reported losses that cyber insurance would not cover. According to a report on IT World Canada, the company that owns many of Canada’s big name grocery chains is expecting to take a C$25 million charge against its earnings for the uninsured portion of the costs of a recent attack.
Empire, which owns the Sobeys, IGA and FreshCo chains (among others) certainly can absorb the cost, but in a world where missing your earnings targets can have serious impacts on share prices, this is a considerable expense to take.
What would the cost be for your company?
There’s an old saying that a recession is where your neighbour loses their job. A depression is when you lose your job. Likewise, the real costs of ransomware are not totally in the macro numbers. There is an overall story in terms of lost value and funds that presumably could be reinvested in economic expansion and wealth creation, or simply passed to investors, consumers, employees, and governments. These are real losses.
But the real story may lie in the individual companies and the impacts on their customers and stakeholders.
Empire will survive and take a modest hit. Rackspace will undoubtedly recover, but damage has been done. But many companies might not be so well placed. We talked to a private company over a year ago who frankly admitted that they came perilously close to closing their business when they were hit by ransomware. This, and many other stories like it, simply go unreported. But the damage is real.
As we approach the new year, it is worth asking – what is it that we can collectively and individually do to, if not end, at least better mitigate these costs?
I’d love to hear what you think as we move into the new year. Write me at [email protected] or just click the checkmark or X and send me a note.
