Cyber Ah-ssurance

When ransomware infects an organization the priorities of the company became narrowly focused in rapid order. They can be generalized as follows:

  1. End the downtime, don’t lose data.

  2. End the downtime, don’t lose data.

  3. End the downtime, don’t lose data.

Slack labor, lost revenue and the potential for permanent brand damage can be panic inducing to any business bound up by ransomware. In fact, a recent Datto report showed that 75% of managed service providers believe that the downtime associated with ransomware threatens the solvency of their end client. With average ransom demands hovering under $1,000, its no wonder that a recent SentinelOne survey showed that over 60% of companies that paid a ransom did so because the cost of the ransom was significantly less than the cost of the downtime. But, making the decision to pay does not mean downtime or the incident is over.

Simply put, businesses have not planned this section of ransomware disaster recovery.

There is a major divergence when it comes to expectations and reality relating to the time it takes to pay a ransom. Simply put, businesses have not planned this section of ransomware disaster recovery. Unless this leg of the recovery has been mapped out and tested, the organization will experience much more downtime than expected.  In our research, we found that in cases where the ransom is paid, up to 50% of incident downtime is burned on the logistics of procuring and sending cryptocurrency. One recent case spent almost a full week procuring and sending cryptocurrency. With the average SMB sustaining over 40 hours of downtime per ransomware incident, that can mean a full day of extra downtime that is not baked into client expectations.  

This expecational divergence is evidenced in the lack of interest in business interruption insurance policies. While recouping the ransom payment amount via an insurance claim can soften the financial blow, insurance policies offer no utility during the incident.   “[Insureds] don’t appear to be particularly interested in business interruption, which is odd because that is the biggest problem for most companies nowadays,” says Martin Overton, cyber specialist, EMEA at AIG.  Why is this?  Clients don’t expect it to be an issue.

Seasoned security professionals know its a question of ‘when’ not ‘if’ they will have to recover from ransomware. When the decision to pay is made, assurance that a cryptocurrency payment can be made quickly is extremely valuable. Quickly means minutes, not hours or days. For Coveware clients, it also means a service level agreement for timely support through the entire process.