What is the operational impact on business in ransomware attacks?

Sheila Pancholi, Partner – RSM UK

Ransomware creates a nightmare scenario for every business it targets. It results in lost access to critical systems and data, prolonged downtime, lost productivity, and lost profits. And as ransomware continues to become more sophisticated, the level of risk that small and mid-sized businesses face increases.

In March 2019, a new strain of ransomware, LockerGoga, infected one of the world’s largest aluminium producers, Norsk Hydro. The impact was severe, effectively shutting automation down for days and forcing them to go on manual operation. This led the company to buy hundreds of new computers. In April, the company said it would cost at least $52 million to pay for the damage caused by the attack.

The impact to business continuity, productivity, and reputation alone are a grave cause for concern, but the financial damage is where the real danger lies. Routinely, ransomware demands cost hundreds or even thousands of pounds, in addition to the funds businesses lose as a result of the sudden halt in day-to-day operations.

As cyber security specialists we would advise strongly against paying ransomware demands. Aside from the high cost, paying does not guarantee that you will receive the promised access to your data. And the more businesses cave to these demands, the more money cyber criminals are able to make, encouraging them to keep targeting businesses and keep raising their ransom.

Often, the real concern isn’t whether or not you should pay the ransom, but rather whether your business will be able to recover from the damage caused by the infection. Losing access to critical data and systems for any length of time is problematic, and it’s estimated that less than half of all ransomware victims can fully recover after an attack.

Gregor Strobl, Partner – RSM Germany

There are multiple impacts to the operation, the business and the legal (compliance) side of your company, once a hacker attack has struck. Of course, there is the compliance perspective in the case of not filing with the ICO when the company has lost private or sensitive personal data. In addition, the whole business might be at risk when the company needs to shut down their IT infrastructure with no Disaster Recovery plans in place or without having been tested. The company might not have access to their websites, their communication, and their ERP or production systems or might not even be able to access their own building. Experts recommend rebuilding the IT infrastructure from scratch after a cyber-attack which can lead to further significant costs and business interruption.

Darren Booth, Partner - RSM Australia

There are still no public disclosure laws in Australia, so a lot of the attacks are not reported and known about. However, there is a requirement to disclose to the Australian Information Commissioner, but this isn’t then made public unless the breach significantly affects PII. The main impact seems to be the ability to meet customer expectations for products and services, and the communication on the impact of the attack to meet these expectations. If an organisation can recover without it impacting the customer, then no one will ever know about it. Once customers start to hear about it, the brand reputation is damaged, but typically the damage is not long term. From our experience, people seem to have a short memory and forget that an organisation was attacked.