(Photo courtesy of the Institute for Security and Technology)

This is a nearly $20B problem with few, if any, good solutions.

We read with shock and horror the words of Kemba Walden (pictured above right), the former acting White House national cyber director, who said that a ransom payment ban is the ultimate goal.

“A ransomware payment ban remains “the North Star” for U.S. cybersecurity experts looking to curtail hacking groups’ leverage over companies, but “real steps” remain before the country can get to that point,” she said on Tuesday, April 16, 2024.

While we at Apex Technology Services agree with the sentiment and in fact have advised against paying ransoms in the past. The challenge is - the money, at best goes to a criminal and at worst, goes to a terrorist.

The good news is companies seem to be paying less ransoms – Coveware says 29% of organizations paid as of Q4 2023 – down from 85% in Q1 2019. More good news: The average ransom payment in the fourth quarter of 2023 was roughly $568,000 — a 33% drop from the third quarter.

This leads us to wonder – what number of companies are we talking about? Veeam ran a recent survey and found 75% of organizations suffered at least one ransomware attack in 2023. Veeam tends to work with medium to larger companies so to be conservative we looked at how many of these there are in the US. We found about 200,000 U.S. middle market businesses that represent one-third of private sector GDP, employing approximately 48 million people.

How are they classified? According to the National Center for the Middle Market, their revenue is between $10M and $1B.

Now for some fun math. 200,000 companies – of which 75% have been hacked, gives us 150,000 organizations. 23% paid a ransom or 34,500 of them! The average payment was $569,000 so that is $19.6B in ransomware payments! In one year!

This is an OMG number and government action makes a lot of sense. The question is – what action? Companies do not fork over nearly $20B unless they see it as a necessity. No organization likes to be extorted so consider this amount of money – the bare minimum to potentially keep at least 34,500 companies a year in business!

Imagine, if they couldn’t pay the ransom – what would be their alternative? The assumption here is their computers are inoperable and they have no good, recent backups. A more challenging issue is when there are good backups and the hacker threatens to release the company’s private information – customer lists, etc. to the public, if not paid.

Either way – we are talking about making payments to keep the business properly running.

So there is a $20B problem and it needs solving. Companies may soon lose their only ability to get their data back – if the White House solution becomes reality.

There are actions which can be taken now – if you are hit by cybercriminals, you are very likely to be hit again according to Security Intelligence – within a single year! In fact 68% of companies hit once are hit again within 12 months with some organizations seeing 10 or more incidents per year!

For ransomware attacks specifically, the number of companies suffering repeated ransomware attacks rose to 80%, according to an international Cybereason survey.

Wayne Gretzky is credited with saying his success was based on “Skating to where the puck was going.” The saying is as spot on in hockey as it is in business and cybersecurity.

There is a governmental push to ban ransomware payments. It may not happen but if it does, companies that have been attacked previously seem to be the most likely targets – to the tune of an 80% likelihood of seeing future ransomware attacks.

This means if the attacker is releasing your data – you cannot stop them! This applies – even if you have perfect backups.

The solution is to start skating/planning now. Beef up your cybersecurity today. Immediately. Make it a corporate priority.

The good news – there are great partners like MSPs and MSSPs who can help. They make a living helping companies stay secure. They are on the front lines and see the worst cases and the best practices among their clients.

Customers often tell us here at Apex Technology Services that we are the first and only MSP that has eliminated their downtime and outages. Just as importantly, is how MSPs respond in the unlikely event an outage does happen. When you choose your MSP – ask them for a customer reference who had an outage to learn how they perform in the worst-case scenario. Do they work around the clock to get customers back? How do they treat you and your team during such a difficult time?

If you are looking for an honest assessment of your cybersecurity posture – trust the cybersecurity and business continuity experts at Apex Technology Services.

---

Aside from his role as CEO of Apex Technology Services, Rich Tehrani is CEO of RT Advisors and a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). RT Advisors is not owned by Four Points.

The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.