How much could a ransomware data breach cost your company compared to implementing a detection and response solution that can help you prevent, detect and respond to ransomware attacks?
In this article, we’ll cover the cost of ransomware and data breaches in 2020, the types of costs factored into the totals, differing costs by organization size, and how much a cloud SIEM costs in comparison.
The Cost of Ransomware Attacks in 2020
Ransomware continues its relentless rampage across all industries, private and public. According to research from Coveware, the total cost of ransomware in 2020 doubled last quarter.
Ponemon’s annual study conducted with IBM reveals that the average cost of a general data breach is $3.86 million in 2020, with the time to identify and contain a compromise is 280 days. On average, it took companies 207 days to detect and 73 days to contain a breach. The study found that organizations can save $1.12 million on average if they are able to detect and contain a breach in less than 200 days.
The average ransomware breach cost is $4.44 million, while destructive malware breaches cost $4.52 million. A ‘destructive malware breach’ is defined as a breach in which data is destroyed or held hostage for a ransom. For a malicious attack, it took longer than average (315 days) to detect and contain a breach.
IBM/Ponemon’s report reported that the average cost of a data breach has increased for mid-sized organizations. Here’s a breakdown of cost by organization size (depicted visually in the graph below):
- 500-1,000 employees – $2.53 million
- 5,001-10,000 employees – $4.72 million (7% increase from 2019)
- 10,001 to 25,000 employees – $4.61 million (6% increase from 2019)
What’s Factored Into Ransomware Attack Costs?
It’s important to note that costs vary depending on a variety of factors, including the severity of the actual attack:
- The actual ransomware payment demand (avg. is $111,605 – Coveware)
- Lost revenue due to downtime and disruptions in operational processes, especially for companies without a business continuity and disaster recovery plan
- Potential damage to a company’s brand and reputation, resulting in customer churn
Forensics and investigation, remediation and containment costs
- Legal costs related to third-party claims if customer data is leaked as the result of a ransomware attack
- Customer communication, credit monitoring and identity protection services
- Any related fines incurred as a result of breaching specific industry or data compliance regulations (for example, paying a ransom may result in OFAC violations/fines)
While many are one-time costs, many others can be recurring and ongoing losses to your business. For some, especially smaller organizations, they may never fully recover enough to continue staying in business, as ransomware recovery can take a major financial toll.
Why Invest in a Cloud SIEM?
The upfront costs of standing up a cloud SIEM is minimal compared to the average one-time and recurring damage that a ransomware attack can inflict upon your business.
If you choose a cloud SIEM that comes with automated detection and response built into its platform, you can greatly reduce the time, effort and IT/security engineering resources required to get any security value out of it. For broad and comprehensive coverage, choose a SIEM that can integrate with both on-premises and cloud applications and services for complete monitoring and response across your entire hybrid environment.
To break that down further, here’s how a cloud SIEM can help prevent or provide early detection and response of a ransomware attack, which can help you save on data breach costs overall. As mentioned previously, organizations can, on average, save $1.12 million if they can detect and contain a breach in less than 200 days.
These are the different stages of a ransomware attack, and how you can use a cloud SIEM to detect and respond to each type of attacker technique and tactic:
|Attack Stage||What to Detect to Prevent Ransomware|
|Discovery||Detect scanning tools on your network to identify attackers performing reconnaissance, an early stage in the attack lifecycle in which they seek out vulnerable areas to attack and target with ransomware.|
|Credential Access||Detect and respond to password-related or identity attacks, like password spraying, account lockouts, RDP (Remote Desktop Protocol) connections from public IPs, geo-impossible logins, fraudulent two-factor authentication attempts and more.|
|Privilege Escalation||After an attacker has gained a foothold, they will often change user account privileges in order to move laterally throughout your systems and install ransomware. Detect and respond whenever administrator-level accounts are added or changed.|
|Data Exfiltration||A new ransomware-related trend results in attackers stealing data pre-infection to use as leverage for ransom demands. Early detection of data exfiltration via generic network protocols, anomalous web traffic or through email forwarding and external document sharing will alert you to an attacker's activities before infection.|
|Execution||Attackers download and execute malicious files in order to install ransomware on your systems. By detecting when an application is dropping a new file or script onto a machine, you can alert your team to potentially malicious executables.|
What’s the Cost of a Cloud SIEM?
The cost of a cloud SIEM requires many different factors as well – time to deploy, size of team required, any additional consultants, additional or hidden costs, and then the actual pricing model structure.
We break down the cost of a cloud SIEM solution vs. traditional on-premises SIEM platforms in more detail in Is Your SIEM Deployment Failing? The Hidden Costs of SIEMs.
Here it is summarized briefly in the table below:
|Traditional SIEM||Cloud SIEM (Blumira)|
|Time||3-6 mths w/product & security expertise||Under 5 hours|
|Team||2-5 ppl||1-2 IT/security resources|
|Consultants||7-9 for training & ongoing maintenance||None|
|Pricing Model||Priced by data consumption, can be unpredictable. $100-300k/yr||Predictable, per-user pricing. Starts at $14,400/yr up to 100 users|
|Other Costs||$100k+ storage costs & additional licensing for alerts.|
Additional cost to secure cloud applications
|None - both on-prem & cloud coverage included.|
Let’s say on the lower end of employee count, you have 500 users – you’re looking at an annual predictable cost of $72,000 for a cloud SIEM that provides out-of-the-box detection and response for the many different stages involved in and leading up to a ransomware attack.
Cost of Ransomware Data Breach, Ransom Payments vs. Cloud SIEM
If we compare that to the estimated 2020 overall costs associated with a data breach for companies with 500-1,000 employees, $72,000 is still comparatively a lot less than $2.53 million. And much less than the average cost of a ransomware breach, at $4.44 million.
Even if you compared it to the average cost of a ransomware payment alone, there’s a significant difference of 55% – $72,000 vs. $111,605. If implementing a cloud SIEM can be done with your current small team at a much lower cost, one would stand to reason it’s worth investing in a solution that offers an ongoing return on your investment by providing ransomware protection, detection and response in one consolidated platform.
You might be ready to try out a cloud SIEM on a free-trial basis to test out our claims of how quickly you can integrate Blumira with your existing tech stack, start collecting and parsing logs, and immediately start adding security value to your organization.
Our pre-built detection rules and security playbooks let you skip the fine-tuning required by traditional SIEMs, and our cloud-delivered platform plays nicely with hybrid environments. Check out our free cloud-based SIEM platform trial for yourself.
Or maybe you’re still in research mode and you want to learn more about the specifics of what we detect, as it relates to preventing a ransomware infection.
Check out our other related ransomware & cloud SIEM resources, including:
- Blumira’s Security Advisor Series: Ransomware Roundtable
- Top Security Threats: Detecting Ransomware Tactics
- What is Ransomware?
- Ryuk Ransomware Targets Healthcare Organizations
- Protecting Against Ragnar Locker Ransomware
- RDP Risk: Ransomware Targets Manufacturing and Energy Plants
- Detect & Prevent Infection: 50% Rise in Ransomware Attacks
Watch on demand as our VP of Product Jim Simpson and VP of Ops Patrick Garrity discuss the cost-benefit analysis of a ransomware attack vs. a cloud SIEM in an exclusive roundtable discussion: