We’re hearing a lot of surprised reactions to one finding in the RiskLens 2023 Cybersecurity Risk Report: Ransomware ranks at the bottom for total loss exposure among seven cyber risk themes.
According to the report, the representative organization for our study, a mid-sized, North American company of 500-1,000 employees and $100M-$1B in revenue, has a two percent chance on average of a ransomware attack in a year, leading to an average loss exposure in a year of just $41,900
We calculate loss exposure probabilistically based on 10,000 simulated years, incorporating both the probable cost and probability of occurrence of the events. Our goal is a measurement of risk in dollars that security and risk teams can use to inform cost-effective spending decisions.
Very scientific – but 2% and $42K? How can we square that with the impression given by the parade of headlines about crushing ransomware events like the attack on Colonial Pipeline in 2021 that resulted in fuel shortages up and down the East Coast of the US.
Well, for starts our study looks out across the entire risk landscape, including the many garden-variety ransomware attacks that infect a few workstations, cost a limited amount of effort by a response team, and never make the headlines.
Secondly, although we draw our data from the best sources (Verizon DBIR, Zywave, and more), it’s possible there’s some under-reporting in ransomware. The Securities & Exchange Commission (SEC) recently fined software house Blackbaud for concealing the full economic impact of a reported data breach.
Third, it’s been reported that organizations are getting better at resisting ransomware, increasingly refusing to pay and that ransomware gangs are forced to other tactics or forced out of business altogether. TechTarget reported that Mandiant responded to 15% fewer ransomware incidents in 2022 vs the previous year. The FBI recently announced that it had “dismantled” the Hive ransomware gang.
Other studies corroborate our lower estimates of ransomware probability. For its Ransomware Report 2023, OutPost24 monitored ransomware gang data leak sites and tallied 1,001 private organizations in North America. In the context of all US companies that would be well under a 1% probability. If you conservatively restrict the population to companies with over 500 employees to intentionally get a higher estimate, that would result in a 4.79% probability of ransomware.
But don’t pop the cork yet on ransomware risk. Averages for cyber loss events across all industries are one slice of reality. You should check the 2023 RiskLens Cybersecurity Risk Report for the situation in your industry.
Unlike other cybersecurity risk studies, the RiskLens report gives you the full flavor of probable occurrence vs cost for a more sophisticated approach to decision making.
Detail of Ransomware Chart from RiskLens 2023 Cybersecurity Risk Report
See the chart on page 21 for some examples:
>>Manufacturing tops the list for both risk exposure (the right column - $140.7K) and loss from a single incident (the left column – $7.9 million -- a highly useful number for determining insurance coverage). Why is manufacturing a target? IBM Security’s annual X-Force Threat Intelligence Index for 2021 found that ransomware actors “wagered on the ripple effect that disruption on manufacturing organizations would cause their downstream supply chains to pressure them into paying the ransom.” The good news: A manufacturing firm has just a 1.6% annual average probability of an attack.
>>Second on our list for exposure, Public Administration, comes in much lower at $65.4K but #1 for probability at five percent. Weak security is likely the draw for attackers of the public sector – threat actors were inside the Suffolk County, New York, IT systems for nearly a year before surfacing with their ransom demand and a crippling attack, the result of “a series of technical blunders, delayed security upgrades, unsuitable management structures and obstructive behavior from a senior official,” the Wall Street Journal reported.
>>The most heinous ransomware attacks are against healthcare, potentially putting lives at stake. The RiskLens study places them in third place for attack probability, at 3.1% per year, but at sixth place out of nine sectors for exposure at just $22.9K when weighing probability vs cost.
Inform your decision-making on cybersecurity - Get the full details on all the cyber risks – download the RiskLens 2023 Cybersecurity Risk Report now.