£200,000. That was the cost of opening the wrong email in this ransomware example.
As part of our work with the insurance sector, our colleagues at Ratcliffe’s Insurance Brokers in Cheltenham shared details of a recent case, affecting a medium-sized business.
It wasn’t a complicated event, and it was the sort of thing that could happen to any organisation. The finance team received an invoice from an unrecognised sender, which they opened. The attachment was malicious, and resulted in the deployment of so-called ransomware, which encrypted company data and demanded money to restore it.
Often, these ransom demands are based on what a company can afford to pay: more for big businesses, less for smaller ones. After all, we all post annual accounts which are publicly available. And for many companies, paying a ransom (which we don’t recommend) might look like the only way to get things back online.
But there are two ways to deal with this kind of threat. The first is to take the right preventive measures… often, a combination of staff training, backup, and resilience plans. That’s the kind of thing that a cyber resilience centre can support with. The second is to have your own technical experts on hand, to fight back.
In this instance, the company in question was insured against cyber risks. Which feels worthwhile, because let’s face it, which of us doesn’t now know someone who’s had accounts hacked, made payments to fraudulent accounts, or been sent compromising emails?) That insurance meant that a phone call resulted in a £50k spend on technical specialists who were able to decrypt the data. Also covered were the £30k of staff overtime costs, the £20k on incident management and legal costs, and the £100k in lost revenue for the two days that systems were down.
Not all businesses will stand to lose this much money. For the smallest, the government’s Cyber Essentials scheme will bring £25k of free insurance as a useful starting point. But as your risk becomes higher, it’s worth looking at what else is out there. Because if your business or charity relies on IT, one wrong click can unleash chaos. Having a plan for that, and support in place, might just help you sleep sounder.
So if you want support in getting your support, you could do worse than approach your local cyber resilience centre. Home Office funded and not-for-profit, we can help you with developing those preventive measures and contingency plans. We can tell you about Cyber Essentials, and we can probably even let you know about a regional insurer who works with smaller businesses. Nothing in it for us. But there might be quite a lot in it for you.