Average cost of US cyberattack $1M to $10M, Radware survey

Average cost of US cyberattack $1M to $10M, Radware survey

It is easy to say you will not pay a ransom until your system is actually locked down. Organisations that take proactive security measures, however, reduce the chance that they will have to make that choice. (Image Shutterstock)

How many businesses will pay a ransom if attacked? It might depend on if they have already been a victim of ransomware. Some 84% of US and UK information technology executives at firms that had not faced ransom attacks said they would never pay a ransom. But among firms that had been attacked, 43% paid, according to Radware’s 2016 Executive Application and Network Security Survey.

Radware, a provider of cybersecurity and application delivery solutions, polled more than 200 IT executives across the US and UK. The study found that US companies were far more willing to admit that they would pay a ransom. Among US firms who had not been attacked, 23% indicated they were prepared to pay a ransom, in contrast to the 9% in the UK. Companies that paid ransoms reported an average of $7,500 in the US and £22,000 in the UK

“This is a harbinger of the challenging decisions IT executives will face in the security arena,” said Carl Herberger, Radware’s Vice President of Security Solutions. “It is easy to say you will not pay a ransom until your system is actually locked down and inaccessible. Organisations that take proactive security measures, however, reduce the chance that they will have to make that choice.”

In addition to the responses to ransom attacks, Radware’s 2016 Executive Application and Network Security Survey found which security threats most weigh on the minds of the C-suite and senior executives.

Former hackers are seen as reliable watchdogs

Senior executives see former bad guys as the best way to test their systems. Some 59% of respondents said they either had hired ex-hackers to help with security or were willing to do so, with one respondent saying – Nothing beats a poacher turned gamekeeper.

Firms see telecommuting as security risk

Work-from-home arrangements are seen as an increasing risk. The survey found a big jump in changes to telecommuting policies, with 41% of respondents saying they have tightened work-from-home security policies in the last two years.

Wearables require more than a dress code

While about one in three companies implemented security policies around wearables in the last two years, 41% said they still have no rules in place, leaving a growing number of end points potentially vulnerable. Perhaps this is because wearables are not seen as a major target — only 18% pointed to wearables when asked what hackers would most likely go after in the next three to five years.

New connected devices will be the next security frontier

While wearables were less of a concern, many executives surveyed think the Internet of Things could become a bonafide security problem. Some 29% said IoT devices were extremely likely to be top avenues for attacks, similar to the percentage of nods received for network infrastructure, which received 31%.

Cleaning up after a cyberattack can be expensive

More than a third of respondents in the US said an attack had cost them more than $1 million, and 5% said they spent more than $10 million. Costs in the UK were generally lower, with 63% saying an attack had cost less than £351,245 or about $500,000, though 6% claimed costs above £7 million.

Security risk is business risk

Whether motivated by ransomware or another factor, attacks impose significant reputational and operational costs on victims. When executives named the top two risks they face from cyberattacks, brand reputation loss led the pack, with 34% of respondents choosing that as a big fear. Operational loss 31%, revenue loss 30%, productivity loss 24%, and share price value 18%, were also included in the top concerns.

Methodology

On behalf of Radware, Merrill Research surveyed 205 IT executives, 104 in the US and 101 in the UK, in April and May 2016. To participate in the 2016 Executive Application and Network Security respondents were required to be at a company with at least $50 million or equivalent in revenue and hold a title of Senior Vice President level or higher. By design, the survey’s respondents were equally split between C-level executives and Senior Vice Presidents. About half of the companies in the survey have 1,000 to 9,999 employees, averaging about 3,800.

Browse our latest issue

Intelligent CIO Africa

View Magazine Archive