How Much Does a Ransomware Attack Really Cost?

We’ve been talking about cybersecurity almost full time for many years now. It has dominated news cycles and is usually one of the top 3 concerns of anyone in a CIO role or similar. In our Cybersecurity Budgeting blog post, we discussed how small businesses may not have a good handle on the information required to make sound cybersecurity budgeting decisions. Today, we’re going to remedy that using a variety of well-respected sources including the Verizon Data Breach Investigation Report 2023, Varonis 2021 Data Risk Report, IBM Cost of a Data Breach Report 2023, and more. You can view our references list below.

Ransomware Is All the Rage These Days

Undoubtedly, this risk is near the top of your list of cybersecurity concerns if you have not already addressed it with a good EDR/MDR solution and a well implemented backup solution. So, what’s the cost of a ransomware attack? According to page 30 of the 2023 Verizon Data Breach Investigation Report,

But those numbers don’t include indirect costs like your business insurance premiums going up, lost customers, or the 22-day average time to recover from ransomware once the attack is triggered. Page 32 of the IBM Cost of a Data Breach Report puts a number to those indirect costs, bringing the average total cost of a ransomware attack at $5.13 million and taking a rough total of 273 days to identify and contain the breaches with law enforcement assistance. It may cost you the median $26,000 in direct out-of-pocket costs, like the Verizon DBIR reports, but your total business impact including costs your insurance company covers can easily get into the millions of dollars.

How Do These Breaches Occur?

According to the 2023 IBM Cost of a Breach report, of all the data breaches that occurred in 2023, the initial attack methods were:

According to the 2023 Verizon DBIR, a successful social engineering attack that results in a Business Email Compromise (BEC) has a median cost of about $50,000 per attack. According to the IBM Cost of a Data Breach report, the total cost of a BEC is about $4.6 million. A BEC is a top target for the bad guys.

Industry Examples

Healthcare

For healthcare, where per record costs are appropriate measures of risk, page 10 of the 2023 IBM Cost of a Data Breach report puts the number around $165 per record and over $10 million per breach. According to the United States Health & Human Services (U.S HHS) enforcement data, as of Sept 2023, 30,455 cases required corrective actions including 137 HIPAA violation investigations that also had civil money penalties imposed to the tune of $137,918,772 - about $999,407 per fine.

It is important to note that HIPAA violation penalties are subjective and depend on if the U.S HHS feels like you reasonably tried, given the size and resources available to the business, to address compliance concerns before the breach occurred. The most egregious violations (which are rarely even threatened) can end up with penalties up to $50,000 per record and even include up to ten years in prison.

Manufacturing

You think you’re ok just because you’re a small manufacturer? According to the Varonis 2021 Data Risk Report,

According to the National Institute of Standards & Technology (NIST), small manufacturers are one of the top targeted segments. The 2023 IBM Cost of a Breach report says companies that are classified as Industrial made up 10% of all breaches. Page 50 of the 2023 Verizon DBIR lists Manufacturing as having 1,814 security incidents of the 13,535 incidents reported where the industry type was known. The median cost for a small manufacturer that gets ransomware is $60,000, and the average cost of a data breach for a small business is $105,000. Small manufacturers are also more likely to fall for social engineering scams such as fake invoices, unordered products, imposter scams, and tech support scams.

We hope all of this information helps you quantify and prioritize your cybersecurity budgets.

We Get It, These Numbers Don’t Seem Real. Here Are References to Back Them Up:

1. 2021 DATA RISK REPORT: HEALTHCARE, PHARMACEUTICAL & BIOTECH
   1. Pg 3 SMB (under 500 employees)
      1. Average number of sensitive files = 132,763
      2. Average number of sensitive files open to everyone 57,930
   2. pg. 4, SMB (under 500 employees) per TB of data “exposed sensitive files” = 5,107
   3. pg. 5, “Organizations that willfully neglect HIPAA Rules and make no effort to protect sensitive patient data could be fined up to $1.5 million per year”
   4. pg. 7, “an average data breach cost of $7.13 million in 2020”
2. 2021 DATA RISK REPORT: MANUFACTURING
   1. sensitive files = financial + trade secrets + business plans
   2. Pg 3, SMB (under 500 employees)
      1. Average number of sensitive files 166,051
      2. Average number of sensitive files open to everyone 23,684
   3. Pg 4, SMB (under 500 employees) per TB of data “exposed sensitive files” = 721
   4. Pg 4, “It takes IT professionals an estimated 6–8 hours per folder to locate and manually remove global access, meaning it would take years to remediate and maintain these folders manually.”
   5. Pg 7, “Manufacturing is the fifth most targeted industry in 2020, with the average data breach costing $4.99 million. The average breach in the manufacturing sector takes 220 days to contain — one of the longest threat lifecycles out of any industry.”
3. 2021 DATA RISK REPORT: FINANCIAL SERVICES
   1. Pg 3 SMB (under 500 employees)
      1. Average number of sensitive files 163,435
      2. Average number of sensitive files open to everyone 12,550
   2. Pg 4, SMB (under 500 employees) per TB of data “exposed sensitive files” = 2,571
   3. Pg 7, “The average cost of a data breach is among the highest of any industry, at 5.85 million USD.”
4. 2021 SAAS RISK REPORT
   1. Google, Box, GitHub, Okta, Zoom, slack, SalesForce, Jira, AWS, Amazon S3
5. United States Health and Human Services: Enforcement Results as of September 30, 2023
   1. “OCR has investigated and resolved over 30,455 cases by requiring changes in privacy practices and corrective actions”
   2. “OCR settled or imposed a civil money penalty in 137 cases resulting in a total dollar amount of $136,918,772.00”
6. Verizon 2023 Data Breach Investigation Report
   1. 94.6% of attacks had financial motivations, page 13
   2. Ransomware accounted for 15.% of all security incidents and 24% of all security breaches. Page 16
   3. 93% of Ransomware attacks reported to the FBI had no financial loss. Of the 7% that remained, median loss was $26,000 with the 95% range between $1 and $2.25 million. Page 30
   4. Top mitigations for business with under 1,000 employees remains the CIS Controls in the IG1 category with highlights on “Security Awareness and Skills Training”, “Data Recovery”, and “Access Control Management”. Page 66
   5. The next set of mitigations for small business are “Incident Response Management”, “Application Software Security”, and “Penetration Testing”. Page 67
   6. Social Engineering incidents have increased from the previous year largely due to the use of Pretexting, which is commonly used in BEC, almost doubling since last year. Compounding the frequency of these attacks, the median amount stolen from these attacks has also increased over the last couple of years to $50,000. Page 31.
7. A Cost Analysis of Healthcare Sector Data Breaches Health Sector Cybersecurity Coordination Center (HC3)