Financial quantification of cyber risk is key to reduce your exposure to ransomware losses

The Cost of Ransomware

The true financial cost of a ransomware incident is often far higher than the extortion payment alone. Here's how to gauge the true financial impact more effectively so you can target your Investment in security controls to manage your cyber risk.‍

‍

According to the FBI's Internet Crime Report, more than 4,000 ransomware attacks have occurred daily since January 1, 2016. This statistic takes on its full meaning next to the seven-figure sums often demanded and sometimes paid for victims' data to be decrypted, as in the cases of Colonial Pipeline or Brenntag.

‍

But here's what you might not expect: the ransom is only a fraction of the true cost. Analysis by Check Point Research and Kovrr found that the extortion – when paid – accounted for just 15% of the total cost for victims.

‍

This is where challenges can arise, because we’re dealing in approximations: financially speaking, calculating the cost of cyber events in general, including ransomware, is often very vague. Even the unfortunate victims find it difficult to put a true figure on their losses.

But there are three very good reasons to try to forecast these costs in advance of a possible incident, as it allows organisations to:

• Understand the stakes involved
• Evaluate the most suitable protection
• Prioritize between available controls and mitigations.

‍

Measure Risk in Financial Terms

In 2001, a CISO and a risk management expert created a methodology to answer these precise questions: how do I measure the risk I am exposed to and the return I will have on the money I spend mitigating it? This methodology is known as Factor Analysis of Information Risk, or FAIR™, and it uses cyber risk quantification (CRQ) to calculate financial loss due to information technology risk. In this article, we’ll share four key steps based on this model that will help reduce your exposure to financial loss from ransomware.

‍