The Cost of Doing Business, Pt. 3
Documenting the True Costs
of Ransomware
A recent study published [pdf will open] in the United Kingdom has thoroughly documented the societal costs of ransomware. Indeed, ransomware has become one of our most damaging of our modern day scourges, as relates to IT. Indeed, the title of the study is: The Scourge of Ransomware. The study clearly delineates the costs associated with ransomware that can go far beyond the cash ultimately paid to the cybercrooks by victim organizations. The findings of the report are based upon three methodologies employed by the study's authors. The study focuses mainly on how ransomware has impacted victims in the UK, but also draws on the experiences of victims in the US and elsewhere. [Ibid., p. 6]
1. Literature review: This consisted of a literature review of
publicly available sources on ransomware harm and ransomware victims. It
included a non-systematic review of publicly available academic and grey
literature,
including surveys and reports conducted by stakeholders
in the ransomware eco system.
2. Semi-structured
interviews: The primary dataset for the paper is based on 42
semi-structured interviews with victims of ransomware attacks and with
subject matter experts from across the ransomware ecosystem, including
individuals from the insurance industry, government and law enforcement,
as well as incident responders.
3. Workshops: In
November 2022 and February 2023, the research team conducted two online
workshops with key stakeholders from UK government, the insurance and
cyber security industries, lawyers and law enforcement.
The report finds that three levels of harm occur from ransomware attacks. [p. 1]
First-order harms: Harms to any organisation and their staff
directly targeted by a ransomware operation.
Second-order
harms: Harms to any organisation or individuals that are indirectly
affected by a ransomware incident.
Third-order harms: The cumulative
effect of ransomware incidents on wider society, the economy and
national security.
These first order harms reflect damage to the entities attacked that are fundamental to the operations of the entities themselves. [p. 1]
Several of the victims interviewed revealed that their servers had been encrypted by the ransomware in their entirety, with one victim in the education sector losing access to more than 10,000 computers as a result.
Also, among these first order harms, are the obvious and not obvious financial harms done to an entity that suffers an attack. [p. 22]
Some forms of financial harm – such as the cost of a ransom payment – can be measured relatively easily, with studies finding that both ransom demands and incident response costs are steadily increasing. Other aspects of financial harm are harder to quantify, such as the cost of missed opportunities and reduced productivity.
Surprisingly, the report mentions that fees paid to independent technical experts called in to mitigate the outcomes of attacks can exceed the amounts demanded in the ransom itself. Lawyers' fees are singled out specifically as hidden costs of ransomware attacks. [p. 23]
The high additional costs of hiring help from third parties are financially challenging where they are not covered by insurance, especially for small companies or for public service providers with limited financial reserves.
The aftermath of an attack often requires the replacement of a significant number of compromised devices. The study cites how one "company replaced all its employees’ phones after a ransomware attack." These attacks can also point out to victims that some remediation efforts should have been made prior to the attack; thus, demonstrating the 20/20 hindsight of too many network administrators and managers. Quoting from the study, "As a victim in the education sector said, 'It’s all a lot of money, but money we should have spent a year earlier.'" [p. 24]
These financial harms are to one degree or another self-evident and understandable. Less obvious are the harms done to the staff of victim organizations. As the study noted:[p. 32]
Primarily, experiencing and responding to a ransomware attack creates considerable stress for the individuals involved. For example, an interviewee from the engineering sector confirmed, ‘There’s a huge amount of pressure and stress that everybody was under’, to the extent that their company hired a posttraumatic stress disorder (PTSD) support team.
A feeling of guilt over an attack having happening was often cited. A sense of panic and disorientation among IT staff had also afflicted many in the wake of an attack. A sense of guilt and blaming themselves were discussed during interviews the authors had with IT staff. The study found these harms to staff can continue far after the incident concluded. [pp. 34-36]
Not only the mental health of IT staff suffered in the wake of a ransomware attack, but actual physical harm to staff was documented. According to the study authors, "These harms "ranged from minor ailments (for instance, weight changes) to serious health issues (such as heart attack or stroke)." While admitting that it was uncommon, one law enforcement officer told an interviewer that "a member of IT staff at an organization who took their own life following a ransomware incident." In its discussion of these harms to individuals, the study makes the point that, "Psychological harm to staff and individuals is significantly overlooked, both in public discourse and in organizational responses to ransomware attacks. [p. 62]
In its reporting on the study, January 18, 2024, The Register based its entire article on the cited cases of psychological harms suffered by IT staff in the wake of ransomware attacks. While I have never been responsible for a 7 figure IT budget, nor have I in any way been involved in of any large scale ransomware attack, I can nevertheless personally attest to the stress and the negative psychological impacts of dealing with cyberattacks on many smaller entities.
As the authors state in the Conclusion to the study, [p. 64]
While the wider focus of reporting is often on the financial implications of ransomware attacks, this paper has set out a detailed analysis of different kinds of harm experienced directly or indirectly by ransomware victims and by society at large.
And that:
Key findings based on this research underline that the psychological impact of ransomware attacks is significantly overlooked, and that currently no-one has a full understanding of the economic impact of ransomware attacks, such that the cost of the long-term and indirect financial harms is likely to be missing from current estimates of the economic harm caused by ransomware attacks.
Such are the costs of doing business today.
Gerald Reiff
| Back to Top | ← previous post | next post → |
| If you find this article of value, please help keep the blog going by making a contribution at GoFundMe or Paypal | ||