Welcome Hackers! This might as well be the slogan for the third of companies who think it would be more cost effective to pay hackers ransom than to invest in a comprehensive cybersecurity defense. Such a conclusion is based purely on monetary considerations. The thinking is that investing in expensive cybersecurity may be nothing more than throwing money away. If no one ever tries to hack your company, you won’t need to pay for cybersecurity, right? After all, why pay for nothing? Why pay for cybersecurity architecture and all the qualified people you need to manage it? Wouldn’t it be less expensive just to pay the hackers some ransom or just pay for the cleanup after a hack? Although it may seem like a naïve approach to many in the cybersecurity industry, it’s a fair question and one that needs to be looked at seriously.
So, let’s delineate some of the monetary underpinnings for this viewpoint. According to a Deloitte survey of 747 firms, the average percent of revenue channeled into IT departments amounts to around 3.28%. Of this, generally less than 20% will be specifically designated for cybersecurity. The graph below shows that some economic sectors are more concerned about IT than others.
Gartner defines a small business as one with a revenue of less than $50 million a year. This means the average small to medium company would spend about $2 million on IT. Assuming about 20% of this is spent on cybersecurity, we end up with a cybersecurity expenditure of roughly $400,000. Of course, large companies in certain sectors will be paying much more, but, for the sake of this investigation, I’ll use the $400,000 figure as representative of a small to medium-sized business. These are businesses that have to keep a tighter rein on their expenditures so they would necessarily be most concerned about any losses due to hacking.
Last year, Kaspersky reported that the average loss to a small to medium-sized business from hacking was $117,000. Thus, on the surface, solely from a financial point of view, it would seem that taking the gamble on not being hacked could be justified. But Kaspersky notes that there are extenuating circumstances. Here are the costs that firms incur when trying to recover from the effects of a breach.
Keep in mind that these are the costs that follow a breach. That’s where the $117,000 figure came from. It does not take into account any money that the hackers may have either stolen or asked for as in a ransomware attack. It does not take into account how much hackers can make from selling a database of personal information. Attacks that result in a lost database of personal information can be the most expensive to recover from. A Ponemon study estimated the average cost of a data breach to be around $690,000.
Now, back to the report from NTT which interviewed “1,800 global business decision makers” to find out their views on cybersecurity. The main takeaway I got from this report is that these “business decision makers” seemed naïve when it came to cybersecurity. A majority (47%) believed that they had never been affected by a breach. Maybe that was true or maybe they are just one of those companies who have been breached but don’t yet realize it. (Statistics for US firms show “63% report an incident in the past year and nearly half (47%) have experienced two or more”.) However, what was even worse was that one-third of the respondents felt that they would never be breached.
This fact probably explains what NTT claimed was “one of the most shocking statistics in this report”. That is, that one-third of respondents said they would rather pay a ransom than invest in cybersecurity. An additional 16% were unsure of whether they would pay a ransom or not. Taken together, this means that half of all companies would at least consider paying a ransom. This attitude must have been welcomed news to those criminals using ransomware to make money. It also reveals the respondents’ naiveté. Their underlying belief seems to be that paying a ransom will restore everything to normal. In fact, there is no guarantee that the criminals will either honor the ransom payment and decrypt the data or, given the incentive of the first payment, not attack them again.
Another fact that seems to emerge from the report is the uncertainty that exists over who would be ultimately responsible if a breach occurred. One-fifth believed that such a breach would be the responsibility of the CEO, even though it seems that few CEOs really knew what was going on in their IT departments. Statistics indicate that very little communication was going on between high level management and the IT department. This could be because management did not feel qualified to speak cogently on IT matters. Then again, it may be that such conversations only occurred when the IT department approached management for budget allocations or informed them about serious breaches. A Ponemon study seems to support a general lack of communication going on in most businesses, as can be seen in the graph below.
Malwarebytes found that, of companies experiencing a ransomware attack, 20% were forced to shut down immediately. Most companies were down for 1- 8 working days (assuming a 12 hour working day). 80% of ransom demands were for under $10,000. 21% of those receiving ransom demands paid the amount requested. Of those not paying the ransom, 32% lost files. It is impossible to assess the cost per day of a company not being operational. That would vary with the type and size of the company. In this respect, however, the ransom itself would probably be a minor expense. Medical, financial, and online retailing firms would probably be more likely to pay the ransom in the hope of resuming normal operations. So the average cost for a ransomware attack would be about $127,000. However, many companies experienced more than one ransomware attack in a year.
But hacking is not just for receiving a ransom. Hackers steal for financial gains or to acquire important information. Hacks stealing information tend to be more difficult to recover from. When customer information is stolen it is often sold on the deep web. How would customers ever trust a company that exposed their personal information? Stolen company secrets put the existence of the enterprise at risk. In both such hacks, the company reputation suffers. As most companies realize, reputation is closely linked to profits. The quarter after the Target hack, profits fell by 50%, a loss which smaller companies may not be able to absorb.
There is a widely quoted statistic that 60% of small businesses will fail in six months following a cyber attack. The statistic is claimed to originate from the National Cyber Security Alliance. I made a rigorous attempt to verify this claim, but could not. I did, however, eventually find a press release from the NCSA in May of 2017 saying that “this statistic was not generated from NCSA research” and that “members of the media, policy makers, small businesses and others are encouraged to rely upon more current and clearly sourced data.” That said, most businesses will experience serious financial stress following any cyber attack. A Cisco report found that 38% of organizations experienced a substantial financial loss, 42% saw a substantial loss of opportunities, and 39% saw a substantial loss of customers. Each small business needs to take these statistics into consideration and determine for themselves if they could survive such an impact to their particular business.
This is all not to say that small and medium-sized businesses have absolutely no security at all. They may have some simple antivirus software or may use a VPN. They don’t, however, have a coordinated cybersecurity strategy backed by an IT department that would be needed in the case of a strong attack. They certainly do not have state-of the-art technology to protect themselves from the most commonly used attack vector; the exploitation of unprotected endpoints. As such, they are continuously vulnerable to irresponsible online behavior of any employee that has access to their network.
And that brings us back to the main question: Is it better to wait to be hacked before paying for cybersecurity? It’s a gamble; a gamble that is the statistical equivalent of a coin toss. In other words, would you risk your business on the toss of a coin? In the end, you simply have to ask yourself one question: Are you feeling lucky?