Most people hear “ransomware” and immediately think about the ransom. That’s the number that shows up in the headlines, the number executives ask about, and the number that dominates most of the conversation. But the real cost of a ransomware attack? That’s a completely different, much larger number — and most organizations don’t find that out until they’re already buried in it.
This blog post summarizes the main points of my latest podcast episode. If you’d like, you can listen to it or watch it at https://www.backupwrapup.com/real-cost-of-a-ransomware-attack.
Let me give you an example that sets the tone for everything. UVM Health Network got hit in October 2020. A staff member took their work laptop on vacation, opened a phishing email, brought the laptop back into the office network, and the malware spread. Over 1,300 servers went down. Staff were forced back to paper records. Patient care was disrupted for weeks — radiology, lab services, the patient portal that people use to access their own healthcare information, all of it gone. The Ukrainian hacker responsible was eventually caught, which is rare. The total bill came to over $63 million. They never paid the ransom.
That’s the story. The ransom was zero. The cost of a ransomware attack was $63 million.
The Cost of a Ransomware Attack Starts With Your People
Before you even get to lost revenue or regulatory fines, you’re already spending money on people. Your IT staff will be working around the clock — sleeping on the floor, eating carry-out food, running on no sleep for days. Lower-level IT and cyber staff aren’t always salaried-exempt, which means overtime. And a lot of it.
On top of that, you’re probably going to bring in outside help. A firm like Dr. Mike Saylor’s Black Swan Cybersecurity is exactly the kind of organization you want to have a relationship with before any of this happens. The worst time to find your incident response partner is at 2am when you’re already on fire. The best time is over a cup of coffee when everything is calm and you can have a real conversation.
Then there’s hardware. You can’t order 1,300 servers on Amazon Prime with free two-day delivery. You’re going to be calling your vendor and paying whatever it takes to get equipment fast — and even the US government would struggle to get a one-day turnaround on that kind of order. You may also need to spin up emergency cloud capacity to keep recovering systems running at the same time you’re still cleaning up others.
Lost Revenue Is Just the Beginning of the Cost of a Ransomware Attack
Here’s what people underestimate: it’s not just the revenue you lose during the outage. It’s the revenue you lose after.
When your business goes down, your customers don’t just sit around waiting for you to come back. They go find someone else. Some of them will stick around, but some of them will discover that your competitor isn’t as bad as they thought — and they’ll stay there. You’ve lost not just current revenue, but future revenue from that customer, and potentially their network of contacts too.
And Dr. Mike Saylor dropped a stat in our conversation that I think everyone needs to hear: over 50% of businesses that get hit with ransomware and don’t have a solid incident response plan don’t survive. More than half. Gone.
The reputational damage is a big part of why. I can still name the company that was involved in my first data breach back in 2005. I haven’t forgotten, and I won’t. Your customers feel the same way. They’re going to Google your company when they’re thinking about doing business with you, and if this is the story that pops up, that’s a real problem.
Beyond customers, there are regulatory fines — GDPR alone can hit up to 4% of your annual revenue. California is aggressive on per-record fines for consumer data. If you were hit with double extortion ransomware (where they steal your data before encrypting it), you may be on the hook for both recovery costs and regulatory penalties at the same time. That’s a brutal combination.
The Cost of a Ransomware Attack Follows You For Years
The costs don’t stop when the incident is over. Your cyber insurance premiums are going up — probably significantly. Your insurer is going to hand you a long list of things to remediate before they’ll renew your policy. And read your policy carefully before an incident, not after — Mike shared a case where a company’s claim was denied because the policy only covered domestic attacks, and the attack turned out to be international.
After an incident, your vendors and suppliers may not trust you the way they did before. Your payment processor may shut off access and require a third-party security review before turning it back on — a dental practice in one of Mike’s cases ended up running carbon copy credit card swipes because of exactly that situation. Your credit rating as a company can take a hit if you depend on financing.
And your staff? The people who lived through the incident aren’t going to be the same. Mike compared it to coming back from a war — you don’t see things the same way. Some of them will quit. Often, they’re the same people who were warning you about the problems that led to the breach in the first place.
The cost of a ransomware attack is not a one-time event. It’s a long-tail expense that keeps showing up on the bill for months and sometimes years.
What can you do about it? Start with a Business Impact Analysis. Know what every system in your organization is worth per hour of downtime. Know what your critical processes are, who owns them, and what the alternative is if they go away. Mike’s firm did a BIA for a city government with 14 departments in two weeks. Most small-to-medium businesses can get it done in one to three weeks. It’s the kind of work that’s easy to put off — but it’s the work that gives you a recovery plan that actually works, and the ammunition you need to get budget from leadership before an attack happens rather than after.
Do it sooner than later. You don’t need a time machine, but you do need a plan.
Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at S2|DATA, which helps companies manage their legacy data
