Ransomware is a top of mind threat for industries of all sizes, and is constantly being evolved and adapted by technically sophisticated and financially motivated attackers. To illustrate the importance of this issue in business terms, Aberdeen’s simple analysis quantifies how the faster, more scalable time-to-recover provided by a cloud-based backup and restore capability reduces the impact of ransomware by about 90%,
Breaking Down the Relentless Risk of Ransomware
Although ransomware has been a weapon in the cybercriminal’s arsenal since as early as 1989, it has more recently become a top of mind threat for organizations of all sizes in the wake of publicity that followed massive, worldwide ransomware attacks such as Petya (2016), WannaCry (2017), and NotPetya (2017).
Today, technically sophisticated and financially motivated attackers are constantly evolving and adapting their deployment of ransomware — to evade the protection mechanisms put in place by the defenders, and to maximize their own return on investment. Technical trends currently include high growth in new ransomware variants, as well as increased targeting of mobile devices, connected devices (i.e., IoT), servers, and cloud-based services in addition to traditional enterprise endpoints.
While the technical details and trends of ransomware are interesting and valuable for subject-matter experts, what enterprises ultimately need to understand is the risk. We often confuse technical information about threats, vulnerabilities, exploits, and information technologies with risk, and commonly use these terms interchangeably — but they are not synonymous with risk. This kind of technical information is about the “who,” “what,” and “how” of ransomware. Risk, on the other hand, is about the all-important “so what.”
Risk, as properly defined, is always about “how likely is a successful ransomware attack to occur” for our organization, and “how much is the corresponding business impact.” If we’re not talking about how likely and how much business impact, we’re not really talking about risk.
Breaking Down the Risk of Ransomware: How Likely?
From a variety of public sources, we can get a sense of several key factors for the likelihood side of the risk of ransomware:
More than half of enterprises report that they’ve experienced at least one ransomware attack during the previous 12 months.
Of those who were attacked, most are attacked more than once.
- Most ransomware attacks impact traditional enterprise endpoints — although increasingly they are also impacting the data on mobile devices, connected devices (i.e., IoT), on- premises servers, and cloud-based services.
About two-thirds of ransomware attacks are successful in infecting at least one endpoint.
More than half of successful ransomware attacks subsequently expand to infect more than one endpoint.
Few organizations pay the ransom to recover their data — almost all can restore from backups.
Breaking Down the Risk of Ransomware: How Much Impact?
Similarly, the business impact side of ransomware has several potential factors, including:
Lost productivity of users and responders — i.e., the extent to which users are unable to do their jobs during the time their data is encrypted and unavailable. To date, such non-availability has been the primary business impact of ransomware.
Loss or exposure of sensitive data — i.e., the extent to which ransomware results in a data breach, with its associated costs, fines, and / or penalties. To date, attackers have generally not been exfiltrating the encrypted data, just holding it for ransom and more immediate financial gain.
Loss of current revenue — i.e., the extent to which data being encrypted and unavailable disrupts the generation of revenue during the time of disruption.
Key factors in quantifying the annualized business impact of ransomware attacks also include the number of devices and users who may be affected, the total volume of data to be recovered, and the total time-to- recover.
Quantifying the Risk of Ransomware: A Simple Case-in-Point, Focused on Traditional Enterprise Endpoints
To help the organization’s senior leadership team make a better- informed business decision about the risk of ransomware, and what to do about it — accept it? transfer some of it to a third party? invest in additional capabilities to manage it to an acceptable level? — security professionals need to communicate about this issue more effectively, in the language of risk that the senior leaders already know and understand.
To illustrate how the risk of ransomware can be quantified, Aberdeen has developed a Monte Carlo analysis for a specific case-in-point: ransomware that impacts traditional enterprise endpoints.
For simplicity, Aberdeen’s analysis:
Focuses on traditional enterprise endpoints, which are still the most widely affected by ransomware attacks. (As previously noted, technical trends currently include increased targeting of mobile devices, connected devices, on-premises servers, and cloud-based services in addition to traditional enterprise endpoints. To be clear, all enterprise data should be backed up, available, and recoverable, regardless of the source.)
Is based on a context of 1,000 enterprise employees — with an assumption of one traditional enterprise endpoint per employee — and a total of 10 TB of traditional endpoint data that potentially needs to be recovered.
Focuses on lost productivity as the primary business impact of ransomware, i.e., it does not consider the potential business impact of data breaches, loss of current revenue, or loss of future profitability as discussed above. This analysis therefore reflects a conservative, understated estimate of the total business impact of ransomware — factors which could be added, if necessary, to make a well-informed business decision about risk.
By estimating reasonable ranges (lower bound, upper bound) and shapes (probability distributions) — based on the best available data — for the key factors of “how likely” and “how much impact” discussed above, Aberdeen’s simple Monte Carlo analysis quantifies the total cost of lost productivity as a result of ransomware attacks under the status quo backup and restore capabilities (see the purple line in Figure 1):
- The median annual cost of ransomware for an organization of 1,000 employees and 10 TB of data to backup and recover is about $490K …
- with a 10% likelihood that it will be more than $2.5M. The latter figure is an example of the “long tail” typical of security- related risks that’s so important for the senior leadership team to understand, to make a well-informed business decision regarding whether this level of risk is acceptable.
Quantifying the Risk of Ransomware for Enterprise Endpoints, After Deployment of a Cloud-Based Backup / Restore Solution
For the “after” scenario, Aberdeen’s analysis is based on the adoption of a cloud-based backup and restore capability, to reduce the business impact of a successful ransomware attack affecting enterprise endpoints:
Cloud-based backup and restore solutions can provide significantly faster time-to-recover enterprise data, from a wide range of sources. For this scenario, total time-to-recover is based on empirical performance data made available to Aberdeen by a specific solution provider (Druva inSync).
Cloud-based backup and restore solutions also provide a degree of isolation from an on-premises ransomware attack — e.g., in which a single enterprise endpoint is effectively “ground zero,” from which the ransomware attack extends to impact many other devices, on-premises servers, and cloud-based services.
Summary and Key Takeaways
Ransomware is a top of mind threat for industries of all sizes, and is constantly being evolved and adapted by technically sophisticated and financially motivated attackers.
To help the organization’s senior leadership team make a better- informed business decision about the risk of ransomware – and what to do about it – security professionals need to communicate about this issue more effectively, in the language of risk that the senior leaders already know and understand: how likely, and how much business impact?
To illustrate the importance of this issue in business terms, Aberdeen’s simple analysis quantifies the risk of ransomware for traditional enterprise endpoints using current approaches:
Learn More About Reducing Impact of Ransomware Attacks via Cloud-Based Approaches Download Whitepaper Now