The True Cost of Ransomware: More than Just Dollars

Ransomware is a dark specter over businesses of all sizes, even governments. Baltimore City fell victim to a ransomware attack this year, and with an estimated cost of $18.2 million dollars, the impact will be felt for some time to come across an already cash-strapped city. While some of the costs are definite, like an actual cash ransom payment, other impacts aren’t quite as easy to pinpoint.

Almost all data breaches have two things in common: 95% of them involved an element of human error, and 90% of them began with a phishing attempt, with email phishing being the primary vector for ransomware infections. Larger organizations and companies can sometimes weather the storm in the aftermath of a data breach, but small and medium businesses are not always so lucky. 72% of data breaches occurred at companies with less than 100 employees, making the SMB space the target of choice for cybercriminals.

What happens after a breach?

On the financial side, the average cost of the ransom itself is $2500 (which is the cost of a good firewall or backup device, if we’re not mincing words). The true costs don’t stop there, however. The overall average annual loss associated with cyberattacks and breaches for the same less-than-100-employee business is $80,000. A full quarter of these related costs are in the form of lost revenue. With numbers like that, it’s easy to see why more than half of small business victims become unprofitable only 30 days after an attack that caused permanent data loss. 

The financial impact is not the only damage done in the aftermath. 87% of respondents in a recent consumer poll stated they were unlikely to do any business with an organization who had a breach involving debit card, credit card or bank information details. That is permanent damage to a brand that takes considerable expense to recover from.

Training and Preparedness

We’ve established that 95% of breaches are from human error, and that the best ways to combat human error is training, awareness and planning. Many professional and industry certifications already require some kind of end-user cyber security awareness training, sometimes reoccurring on an annual basis. Re-visiting company policies on internet use simultaneously with security awareness training only heightens the effect on employees, by reinforcing the importance of the rules already in place.

We can’t underscore the importance of continual cybersecurity training and preparedness. We are happy to consult and illustrate the many tools and options available to get your organization up to speed on security.

Back to News