The hidden (and not so hidden) costs of a ransomware attack

Most businesses would prefer to bury the costs associated with their response to a data security event. Sometimes the financial impact resulting from a data breach gets buried in the aftermath of the event since most businesses don’t do a great job of measuring the impact in the first place. But sometimes those costs end up in their financial statements. What you can glean from those is very telling, and is also a warning to businesses about the importance of taking security seriously.

In the wake of last Spring’s numerous ransomware attacks, many businesses found themselves in the uncomfortable position of having to tell their investors that they took a hit. Maersk was one; Nuance was another. Nuance, a firm that supplies online and on-prem IT-related services to medical professionals, had systems interrupted by NotPetya, which resulted in an interruption of services to their customers. It forced them to declare a $98 million impact in their 10-Q filed in February. While that’s no small charge, it’s likely just the tip of the iceberg.

I’ve recently heard from numerous medical facilities around the country who were forced to postpone tens of thousands of surgeries and other medical procedures because of their inability to access Nuance’s systems during the outage. It’s not a stretch of the imagination to expect the blowback against them would include a number of significant lawsuits from their clients and, perhaps, the patients who were impacted. That story continues to be written.

Too often businesses are inclined to overlook security risks, believing that they’re unlikely to be directly impacted by them. But as we see more and more cases like Nuance, it’s becoming increasingly difficult to turn away from the reality that every business is a target, and the impacts from security incidents are real, and impactful. Beyond just the financial costs, I’ve written in the past about those impacts that are not so easily measured: damage to reputation, difficulty holding and recruiting employees, greater levels of scrutiny by regulators, auditors and third-party business partners. These all add-up.

The baseline for security in any organization is good security awareness training. It can help reduce the likelihood of those accidents that can lead to the type of security incident that results in those charges of tens or hundreds of millions of dollars.

You can receive more insights into security awareness by signing up for the Security Smart Newsletter. The newsletter is an employee education program designed to help build security awareness by making security reminders and information fun, interesting, and engaging to all your employees; saving you and your organization precious time on your security awareness program. To learn more about the newsletter and the subscription options, please click here!