Speaker, InterVision‘s Strategic IT Advisor and author of “Amplify Your Job Search: Strategies for Finding Your Dream Job.”
As we enter further into the year, many companies are reassessing their risk levels for various cybersecurity scenarios, investing in a better stance where possible. However, money can only go so far. Sadly, too many think that purchasing more cyber insurance coverage will be enough to alleviate the complete monetary pain following a cyber event. To make it worse, ransomware threats remain woefully overlooked compared to other incident planning. According to the FBI, an average of more than 4,000 ransomware attacks have occurred daily since 2016, and Sophos found that the average global cost of remediating a ransomware attack is $1.85 million.
Sure, insurers might cover some of the upfront costs for a ransomware attack such as the ransom payment, forensic investigation, disaster recovery or other interconnected aspects. However, too many companies neglect a critical factor that insurance can’t solve—reputational damage.
The Cost Of Reputation Rebuilding
When companies fail to calculate the total cost of a ransomware attack (which includes reputational damage to their brand), they are taking a risk in their business that cybercriminals will inevitably exploit. There are companies that the general populace has now come to know (sometimes for the first time because of news coverage surrounding their ransomware events). There are also companies that had decades of a relatively good reputation, and that reputation has been critically damaged after one cyber event.
For both types of organizations, the reputational damage they experience means a challenging climb uphill to regain trust in the eyes of their customers. We’re talking ads, positive news coverage and monetary commitments to their affected customers. Sometimes, an entire rebrand is needed. No matter the scope of reinvention, these activities demand a lot of time and money.
MORE FROMFORBES ADVISOR
In some cases, it could take decades to regain the reputation you’ve lost following negative publicity. This brings me back to insurance coverage. Will your insurer commit to restoring your company image after a ransomware event? If so, for how long? Decades? Rebuilding a reputation takes time. It’s not something you can turn on like a light switch.
Sometimes, a business will never recover from the reputational fallout of ransomware. I’m thinking specifically of industries like financial services or legal, where the business model relies upon how positively customers perceive the brand. For example, you don’t want to bank where your money won’t be safe. You avoid law firms that aren’t competent in handling sensitive information. If your industry relies heavily upon reputation, ransomware should be even more concerning.
What does true ransomware mitigation entail?
Protecting your reputation demands a holistic and comprehensive approach to preparing for ransomware or other types of cyberattacks fully. Insurance coverage is critical, but it’s just one key to a giant puzzle. To be sure, technology leaders need to know and understand their insurance coverages. Next time, rather than just “checking the box” on your insurance, get involved, ask questions and understand the steps you can take to improve your coverage and reduce your premiums.
Beyond insurance, knowing where to focus your attention and your spending can be challenging. I like to look at it through the three lenses of assessing, protecting and responding.
• Assessing your risk. First and foremost, banish the idea that you can’t possibly be a target for a cyberattack. If you are in business and conduct any of your business electronically, you are a target. Understanding what data you have, how valuable that data is to you or someone else and where that data resides is a significant first step toward determining your company’s appetite for risk. Armed with this knowledge, you can develop a program appropriate to your business. This is one of the primary roles of a chief information security officer (CISO).
• Protecting your risk. Protecting your risk includes the technology and processes you have in place to keep the bad guys out, but it also includes teaching your employees to be responsible digital citizens and having them do their part in protecting the organization. Protection is also married to detection. Many cyberattacks sit dormant for weeks and months inside your systems before they harm. Monitoring plays a significant role in protection and detection. Eyes on the screen in the form of a security operations center (SOC) are the trigger for your response.
• Responding to your risk. Protecting your reputation often comes down to how you respond when you have an incident. Were your customers impacted either by the attack itself or because you were not operational for an extended period because of an attack? Were your employees affected by the loss of their personal information or lost wages because of a shutdown? Did you have to pay a ransom because you could not recover? (It is interesting to note that 92% of those who pay the ransom don’t get their data back anyway.) Backups are still an essential part of protecting your data, but the process can be slow and cumbersome should you need to recover a significant amount of your data. Consider looking into disaster recovery-as-a-service tools and services to speed up the process. Ensuring that your data is protected and quickly recoverable could spell the difference between a minor event and landing on the front page.
Making Better Choices
As you consider the best investment choices for protecting your business against ransomware threats, it’s paramount to remember that purchasing cyber insurance alone isn’t enough. It’s only a tiny portion of the equation that you will need to ensure the livelihood of your business. It’s when—not if—you’ll be hit. Too often, the reputational fallout of ransomware is neglected from these considerations. C-suite leaders must price the cost of recovering reputation—what it will take to rebuild from rock bottom—into their risk management decisions.