With ransomware attacks becoming increasingly sophisticated, they’re also becoming more costly than the average data breach, as illustrated by a new report.
The latest Cost of a Data Breach Report from IBM surveyed 550 organizations worldwide that experienced breaches between March 2021 and March 2022, offering insights on how costly ransomware attacks and other forms of data breaches can be.
Breach Response Costs Hit a Record High
Data breaches in general – not just ransomware attacks – have become costlier than ever, with the average cost of a breach reaching a record-high $4.35 million (all figures in U.S. dollars) in 2022, according to the report. Breach response costs have risen by 13% over the past two years.
The average cost of a ransomware attack is even higher – $4.54 million, on average, not including the cost of a ransom payment, which averages $812,360. It typically takes ransomware victims longer to identify and respond to an attack (326 days, on average) than other breach victims (277 days).
Ransomware attacks are also being perpetrated far more quickly these days. A report from IBM Security X-Force found that the length of time it takes to pull off a ransomware attack plummeted by 94% from 2019 – 2021, falling from just over two months to less than four days.
Critical Infrastructure a Vulnerable Target
According to IBM, ransomware and destructive attacks accounted for 28% of the breaches within critical infrastructure organizations, which are often ill-prepared to deal with such attacks.
Only 21% of critical infrastructure organizations have adopted a “zero trust” security model – a system that assumes a network may already be compromised and uses artificial intelligence and analytics to continuously validate users’ connections to a network – according to IBM.
Ransomware threats against critical infrastructure continue to evolve. On August 11, the Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory about Zeppelin Ransomware.
Zeppelin has targeted healthcare and medical organizations, as well as defense contractors, educational institutions, manufacturers and technology companies in the U.S., exfiltrating sensitive data and demanding ransom payments in Bitcoin.
“The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered,” the advisory read. “Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”
Some U.S. states are now prohibiting ransom payments. Both North Carolina and Florida have passed laws banning certain public entities from paying ransomware demands, and New York is considering a bill that would prohibit public entities and private companies from paying ransoms.
Reducing Your Risks
As we’ve discussed in recent blogs, most breaches have the potential to cause significant harm to affected individuals, and you may be required to report breaches to a privacy commissioner. The fact that breaches are now becoming even costlier means being prepared is more important than ever.
There are many ways to reduce your risk of a ransomware attack, such as having phishing exercises to educate your staff on risks, ensuring your operating systems and software are up to date, and securing and monitoring your network connections. You should also have an incident response plan that is tested regularly so you’re prepared to respond to a breach.
The lawyers in our Privacy, Data Protection & Cybersecurity team have wide-ranging experience advising clients on developing strategies to prevent and respond to breaches, including ransomware attacks. We also act as counsel for clients responding to a breach. Download our cybersecurity checklist to assess your organization’s current cybersecurity strategy.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.