“Always practice safe clicks!”
Ransomware has been big in the news for the past couple of years, and earlier this year in particular the “WannaCry” attack caused a media storm and, apparently, generated US130,000 in income for the writers. (The actual recorded amount was 52 Bitcoins, which on the current market would be NZ$332,540 – that’s certainly been a good investment this year!)
As a result of the hype local insurance companies have been responding by offering their clients “Cyber Insurance”, a separate policy to cover the costs of recovering from a ransomware (or some other similar) attack. Several clients have called me to ask about the value of these policies.
Now, I have to tread carefully here for a number of reasons. You’ll note that I said above that the policies have come about “as a result of the hype”, not in response to the amount of damage done. I’d love to see some hard figures about the number of hits and the actual cost of recovery, instead what I’ve been hearing from vendors is information like “The number of hits in NZ is into the thousands…” and “The average cost of recovery to an NZ business is $70,000…” Having recently heard those numbers I asked where they came from and was promised a link to a “government report” on it. This was a few weeks ago and the vendor hasn’t found the link yet.
A more recent conversation with our own broker brought out similar statistics about the frequency and damage and again I asked for the source and again am I still waiting.
The ‘real’ cost of ransomware
I’d be interested to see how they’re arriving at these figures, because we have some of our own and I can tell you how we arrived at the figures – we’ve had five (out of around fifty) clients hit with ransomware and I can show the invoices for the cost of recovery. In two cases we caught it before any damage was done on the network. In two cases we had to restore significant amounts of data and there was a 3-5 hour impact to the business. And in one extreme case the restore was particularly large and had the business running in limp-mode for a whole day.
The direct charges, their IT cost of recovery was not more than a few thousand dollars at worst. The loss of profit would mostly be hard to quantify and the sunk cost of staff being idle or operating at reduced capacity is also the subject of quite some debate.
So, is an insurance premium of $1000-$2000 per month something that makes sense? In all of the clients I have spoken to so far, including one who has been hit, it’s not justifiable. We’ve encouraged processes and staff training to avoid “human error” hits, we have software and systems in place to minimise the chance of something getting in, and when it does happen, as it still can, we have good backups that can be easily restored.
I’d really like to hear from other people considering this as to what the cost is and what the policy covers as the likely return-on-investment will vary from business to business. I am certainly not rubbishing the insurance companies for being proactive like this – I’m just always happy to help confirm whether your business needs it.
And, as I say every time, don’t open those unknown links or attachments… practice safe clicks.
Philip Adamson, Managing Director, OutSource IT
Back to all articles
