Ransomware is a business decision.
Depending on who you ask, bouncing back from ransomware attacks will cost organizations anywhere from 5 to 20 million US dollars. That's not loose change, but that's nothing that will make a dent on the bottom line of a significant number of organizations. If you do a back-of-the-envelope calculation, it's not unreasonable to think that paying 10 million dollars in ransom every year is cheaper than establishing a cybersecurity program to try and prevent ransomware attacks in the first place. And "try" is the operative word here: you have no guarantees that your cybersecurity team will stop every attack. It follows, then, that getting hit by ransomware is just one of those things you learn to live with. You "accept the risk", as it were.
That's a very compelling story: corporations don't care, CISOs are incompetent, and cybersecurity is theater. But is that the actual story? How do you go about understanding how bad the problem really is? Obviously, there is no way to know. I don't believe it's that big of a stretch to assume that the vast majority of ransomware incidents are never reported, so any number you get from Sophos, or the FBI, or Coveware, or the FAIR Institute is likely wrong.
Those reports will give you some idea of how big the problem is, but they won't paint the whole picture. And, quite honestly, they don't really have to. The main purpose of these reports is to scare some people into action, and the action they want is the scared people buying some piece of software, some services, or a combination of both. Maybe not the FBI, but their ransomware data is also limited to a specific set of businesses that belong to what the United States government considers "critical infrastructure."
In 2023, the IC3 received 2,825 complaints identified as ransomware with adjusted losses of more than $59.6 million. Ransomware is a type of malicious software, or malware, that encrypts data on a computer, making it unusable. In addition to encrypting the network, the cyber-criminal will often steal data off the system and hold that data hostage until the ransom is paid. If the ransom is not paid, the entity’s data remains unavailable.
The quote above comes from the FBI's Internet Crime Complaint Center's 2023 Internet Crime Report. This report takes into account cases that were reported by organizations considered critical infrastructure, making the sample here quite biased. However, a little math will get you close to that 20 million dollar bill per incident. A little math would also indicate that a cybersecurity team capable of cutting this number in half would make financial sense if their budget stays under 10 million dollars. The problem is you can't tell for sure. No one is able to go to the board of directors and claim to have stopped attacks that would have resulted in losses of any amount of money. You can't really quantify the financial impact of a cybersecurity incident that did not happen.
Add to that heap of disparate numbers the favorite figure of risk management people that is the mythical "reputational damage", and you have a very elegant narrative based on conjecture, hearsay, and made up numbers. I don't even think "reputational" is a word. Be that as it may, going to the CEO, or the board, or whoever decides on those things, armed with dollar figures that do not make sense to your specific situation is probably a recipe for getting a response that is some variation of "you are wasting our time."
For every subtle and complicated question, there is a perfectly simple and straightforward answer, which is wrong. ― H.L. Mencken
Cybersecurity people have a very bad habit of thinking they're more important than they actually are. Unless you're selling it, cybersecurity is not great for the profitability of a business: you need tools, you need qualified people, and you need training. All things that go on the "expenses" column. Nothing new here, as a bunch of other business functions operate exactly the same way. Unless you're selling it, HR, accounting, legal, facilities, IT, etc. are all cost centers. The difference lies in the fact that we have a very good idea what happens when you don't have these business functions. Or what happens when they don't do what they're supposed to do.
The consequences of accounting shenanigans are known. The aftermath of labor law violations is not pretty. Not having a legal department is very likely an awful idea. Your IT failures usually mean that no one can work. So why do companies put up with bad or non-existent cybersecurity? Why is it acceptable to get hit with ransomware when the means to not get hit with ransomware are known and available? Much like condoning accounting shenanigans and engaging in labor law violations. If you know it's wrong and you do it anyway, you're assuming the risk. If you hit someone with your car while drunk, you're not on the hook only for the cost of fixing your car.
It's a business decision. It might even be a smart business decision: you save money on prevention because the losses from a ransomware attack are cheaper. Why would I spend $100 to avoid having to spend $50? It makes no sense, right? Right. Until you start sending the invoices to the right places. This accounting will shift radically when we start making the negligent parties pay: if your preventable ransomware incident makes me unable to get a prescription filled, or an exam done, or a product delivered, or a service rendered, or anything else that you should be doing but aren't, you should pay. The costs of your negligence cannot be chalked up to "externalities" that everyone else but you will pay. Ransomware incidents caused by bad cybersecurity are not an "act of god" or "force majeure."
Setting aside the fact that paying ransom to unlock your data is literally financing crime, and the fact that ransomware is only viable because we allowed an unregulated parallel financial system to exist, the mere fact that so many businesses are OK with being extorted is unsettling. It is hard to justify paying real money to unlock files here knowing that those funds might very well be helping some regime wage war somewhere else, or clamp down on dissidents, or procure weapons, or finance terrorism. If the rationale is "out of sight, out of mind", the math checks out. If the rationale is "we are going to do what we can to prevent this from happening because the consequences of not doing so are bad for a lot of people, even if not an existential threat to us", you make sure your cybersecurity program exists and you make sure it can deal with the problem. The latter rationale is the correct one.
Unfortunately, "doing the right thing" is not enough incentive to coax corporations into doing, you know, the right thing. The way to make this business decision a little less impactful to everyone else is to make the source of the problem pay. And, no. The "market" cannot fix this by itself, as evidenced by stock prices bouncing back almost immediately after these incidents.
What's needed is regulation. Got hit by ransomware due to sheer negligence? Pay up. Bought some bitcoins to pay ransom? Pay 10x that amount in fines. Cryptocurrency exchange selling cryptocurrency that's going to be used to pay ransomware gangs? Sorry bud, we're not going to let you profit from this: here's a hefty tax to dissuade you from facilitating this kind of transaction. Solutions do exist. And lest anyone here accuses me of victim blaming, remember that we do shift liability around all the time: from payment card fraud to insurance claims.
What if you realized that, in the grand scheme of things, investing in cybersecurity is good for business? Daring today, aren't we? In that case, you can select and put in practice one of the 500 different cybersecurity frameworks. Doesn't matter which one. Why? Because the solution to this problem is so obvious, so common knowledge, it's almost trite: know what you have to protect, and use the multiple tools you have at your disposal to protect it. Least privilege access control. Multi-factor authentication. Data encryption. Backups. Patching. It's not hard, but it does require some elbow grease, the willingness to do the right thing, the right people, and attention. Good governance is half the battle.
