- Share this item with your network:
- Download
Information Security
- FeatureSecurity looks to machine learning technology for a cognitive leg up
- FeatureMIAX Options CSO on security's role in business continuity
- NewsDoxware: New ransomware threat, or just extortionware rebranded?
- OpinionAI or not, machine learning in cybersecurity advances
- ReportRansomware costs not limited to ransoms, research shows
- OpinionQ&A: IBM's Diana Kelley got an early start in IT, security came later

alphaspirit - Fotolia
Ransomware costs not limited to ransoms, research shows
The financial fallout from ransomware involves more than bitcoins, one study found. Targeted companies invest in security technology and fear loss of reputation and customers.
Ransomware costs are hard to quantify. Many companies that have been targeted and have paid the ransom avoid law enforcement and public disclosure. But financial consequences involve more than just ransoms, according to new data from the Ponemon Institute. The independent study, sponsored by Carbonite, surveyed 618 individuals in small to medium-sized companies.

Researchers found that 51% of the organizations surveyed had experienced ransomware attacks. These companies reported four ransomware attacks on average and -- among those that paid -- an average payment of $2,500 per attack. Close to half of the companies paid (48%) and slightly more did not (52%).
Respondents whose organizations opted not to pay ransoms cited several reasons: full backup of systems and data (42%), company policy not to pay ransoms (16%) and fear ransom would not result in a decryption key (15%).
But even among companies that opted out of ransoms, there was financial fallout. Other ransomware costs included investment in security technology (33%), money lost from downtime (32%) and loss of customers (32%).
According to survey respondents, ransomware infiltrated their organization through phishing and social engineering (43%) and insecure or spoofed websites (30%), malvertising (15%) and social media (8%).
More than half (55%) of respondents said that the compromised devices were used for personal and business use. Compromised devices also infected other devices on the network (42%) and the cloud (21%), the survey showed.
While 53% of those surveyed indicated that their organization would pay a ransom if sensitive data was at risk, 57% indicated that they thought their organization was too small to be a target of ransomware attacks. Only 46% considered prevention of ransomware (and ransomware costs) a high priority, according to the Ponemon report.
Next Steps
How companies avoid paying ransoms
What you need to know about ransomware as a service
Study: Ransomware attacks have doubled
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
-
CrowdStrike: Ransomware hit 56% of organizations in last year
-
Ransomware stats overload risks confusing buyers
-
Should ransomware payments be banned? Experts weigh in
-
Big ransomware attacks overshadowing other alarming trends