(Hint: It’s Different Than Your IT Budget)
There’s been a lot of talk recently about large ransomware events (e.g. Colonial Pipeline, JBS Foods). The disruptions felt by many people, millions demanded, and articles made top news. One article stood out for me. The author questioned how much money companies were investing in cyber resilience compared to the ransom payouts.
Using the $4M Colonial Pipeline ransom as an example, they posed the hypothetical question of whether they wish they had invested an additional $4M to prevent and/or recover quickly from an attack that shut down production.
Many experts opine that not enough is being invested in cyber resilience; but there’s little practical information on how much is the “right” amount. When does the investment reach the point of diminishing returns? Couple this concern with the tendency for businesses to underestimate both the threat level and impact of a cyber event - the result is often too little invested, too late.
So, how do you determine a realistic amount to invest? $4M is a lot; but is it a lot to Colonial Pipeline? Colonial’s annual revenue is approximately $500M/year; $4M translates to about 0.8% of annual revenue.
Looking at some of the top non-governmental and non-healthcare ransom payouts over last 12 months: average ransom was 0.22% of annual revenue. But this is only a fraction of the total cost: legal, remediation efforts, downtime, lost business or lost client confidence, increased liability, etc. add up considerably.
If a $25M/year business experienced a ransom event, at 0.22% of revenue, they could expect a ransom demand of $55,000. That’s before adding in the related costs listed above. Would it be worth increasing your investment by that same amount annually to eliminate the problem; or even to significantly reduce the impact?
If your answer is “no”, then stop reading. But if “yes”, ask yourself how to best improve your cyber resilience and get the most return on that additional investment.
Business is dynamic. Threats are dynamic. Diligent business leaders understand this and ensure that their cyber resilience strategies stay aligned with changing environments.
A final thought as a disclaimer: This article is not intended to provide any kind of legal or financial advice. Every business situation is unique. The intent is merely an attempt to provide a quantified reference point for what is often a nebulous topic in the world of technology.
