COMMENTARY: It’s any IT professional’s worst nightmare: Someone has breached the network, locked users out of their computers, captured company data, and has held it for ransom. Most of us spend a lot of time thinking about how to avoid this situation, but I think that’s only part of the solution.
Ransomware payments topped $1 billion in 2023, and that number has increased every year. Analysts predict that ransomware costs in damage and ransoms will exceed $265 billion by 2031.
“But Trevor,” many security pros might say. “That’s exactly why we should be trying to protect against a breach!”
Frankly, I’ve found that with prevention, we’re seeing diminishing returns. We can — and must — do better.
Ransomware impacts are getting worse
According to a Ponemeon Institute report, 58% of organizations halted operations in 2024 following a ransomware attack. And they were down for an average of 12 hours. That’s a huge number of businesses finding themselves unable to function following a breach.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Now, let’s look at the cost of recovery. In 2024, on average, organizations spent $150,000 resolving an attack. That’s just the hard costs. More than one-third of organizations also reported damage to their brands following an attack.
So, many might think that this surely points to the need to invest more in protection.
And again, I say: “No, not at the expense of containment.”
Here’s why: Rising threat levels and increasing attacks mean we should spend more money on security. But I have issues with how most organizations spend that money.
While we have made a huge reduction in the probability of a successful attack, we will never remove the risk completely. There’s a 100% chance that an attack will get through. This means that we must shift our thinking to plan for how we will respond to the inevitable attack. This should include an immediate deployment of technology that mitigates the impact of an attack by containing the spread of any incident.
While 51% of organizations surveyed by Ponemen believe that “prevention” is a high priority, 44% say a lack of ability to quickly identify and contain attacks made it difficult to respond to them.
This tells us that prevention alone isn’t getting it done. Organizations should also focus on containment, and yet only 27% of Ponemon survey respondents have segmentation or microsegmentation in place. Fewer than half use AI to combat ransomware.
Once again: we can do better.
When a breach occurs – and chances are it will – the team must keep its IT systems functioning, both in the cloud and on-prem. Our customers frankly don’t care what the company has to deal with to solve an issue. If one vendor can’t deliver, they’ll go elsewhere.
This brings us to minimum viable operation (MVO). What are the absolute minimum number of systems the organization uses that need to operate to deliver service? Identify that number and plan a cyber resilience strategy around ensuring those systems remain standing in the event of an attack.
Map out detailed rebuild protocols and establish recovery measures to minimize downtime. This will protect critical services and reduce the fallout of any single attack, shifting the security dialogue from “How do we prevent this?” toward “How fast can we recover?”
Next, identify exactly the threat the team plans to mitigate against. All the money in the world spent on prevention won’t help if the team doesn’t target its efforts on specific risk vectors. What are those vectors? The supply chain and third-party vendors are often at the top of that list.
Finally, invest in microsegmentation, which divides a network or computing environment into smaller, isolated segments at a very granular level. Simply put, it cordons off services so a breach doesn’t grant attackers access to everything. If attackers compromise one segment, microsegmentation helps contain the threat by preventing unauthorized access to other network parts.
This way, even if an attacker can breach one part of a system, other more critical parts may remain open and active, ensuring MVO.
The simple fact: ransomware cases are on the rise and more costly every year. The chances of stopping a breach are low. However, the chances of containing a breach are high.
Ponemon found that 51% of organizations that were attacked paid the ransom, and only 13% got their data back. Whether the company invests in containment, or plans to pay a ransom and endure downtime and reputational hits, it’s going to cost money.
But only one way ensures that the organization can control what happens next.
Trevor Dearing, director of critical infrastructure solutions, Illumio
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
