It takes just half a second to infect a computer with ransomware, but affected companies deal with the fallout for months. The FBI estimates that more than 4,000 ransomware attacks occur each day in the U.S. – representing a 300% increase over 2015 alone. What's more, cybercriminals can get started for just a small investment: Forbes reports that one $39 program encrypts files, deploys from a variety of file formats, and deletes files at random intervals when the ransom isn't paid. Yet the price for companies affected by ransomware is much steeper. In addition to the ransom itself, companies facing ransomware are often unprepared for the true cost of dealing with attackers, getting systems back online and handling potential brand damage and lost productivity.
The Ransom is Expensive – But It's the Least Important Cost
Ransomware is a strain of malware that encrypts data on organizations' computers, servers or user devices, locking them down, before demanding payment of a ransom – often in Bitcoin or another non-traceable currency – in exchange for decrypting the data. According to the FBI, the costs of the ransom plus staff time in recovering the data averages about $330,000 per incident. The ransom itself varies, but is just a fraction of the costs that organizations face. One high-profile case required a Hollywood-based hospital to pay $17,000 to regain access to its data. Yet the financial outlay from paying the actual ransom typically costs far less than collateral damage.
Quantifying the Real Costs of Ransomware Attacks
Employees' productivity declines: Lost employee productivity is a major ransomware cost. When your team is unable to access email, customer information, and other essential systems, they're not able to get their work done and keep your business moving forward. According to the Aberdeen Group, the cost of downtime per hour ranges from $8,581 for small businesses to an astronomical $686,250 for enterprises. An outage of just one day can range between $205,944 and $16,470,000. Email continuity systems can keep your employees connected and working even during an attack.
Customers' access impacted: If locked down systems or encrypted data is linked to the customer experience, the financial damages can be further reaching. From brand damage to the inability to get customers what they need, lack of access to data can bring client-facing operations to a grinding halt. For example, in a healthcare setting clinical staff may be unable to access treatment or prescription data and need to send patients to another facility. Banks may be unable to accept deposits or provide accurate balance information via online banking portals. Customers who find out about ransomware attacks can develop negative brand associations and question both employee judgment and infrastructure security. It's hard to quantify the losses, but stock prices can drop and customers can take their business to the competition.
Potential regulatory and compliance fines: In certain industries, compromised data can be seen a security failing. Each breach or ransomware attack can lead to regulatory fines and penalties, such as in the healthcare industry or in banking. In healthcare, for example, HIPPA-covered organizations can face fines between $10,000 and $25,000 per incident – up to a maximum of $1 million per year. Nominal investments in the right solutions and employee training can help prevent ransomware attacks and recoup the investment many times over.
The cost of recovery and the potential for data damage: Restoring data after a ransomware attack isn't fail-proof or inexpensive. Key files may be deleted or inadvertently damaged during the restoration process. Bugs in the decryption software can lead to data losses. Even if decryption proceeds smoothly, businesses have to invest in IT staff time to get back online. Often a ransomware event also signals a complete forensic analysis of the current setup, network vulnerabilities and investments and strategies to prevent future issues which are time-consuming and potentially expensive.
Your team works hard to attract and serve your customers. Don't let a ransomware attack derail your business and have a negative impact on your bottom line. Mimecast's layered solution brings together email protection, business continuity and data replication capabilities into a single cloud solution that helps you protect against the threat of ransomware.
Contact us today to learn more.
More than 50 new types of malware used in ransomware attacks were released in the first half of 2016 alone. The pace of ransomware attacks is escalating. Nearly 40% of companies have been hit with ransomware attacks this year, and the Federal Bureau of Investigation estimates that the cost per incident is $330,000 when factoring ransomware, downtime, and data recovery. A viable cyber resilience strategy must take a layered approach to combat the realities of a much more complex malware environment.
It's not enough to focus on prevention. As new tools come on the market that allow non-technical criminals to enter the ransomware game for less than $40, businesses need to think about continuity planning before an attack occurs. Companies must think strategically about integrating a layered approach that defends on multiple fronts through targeted threat protection, data archiving and business continuity planning.
Email Ransomware Attack Prevention:
The Wall Street Journal estimates that 99% of ransomware attacks begin with an email. Users download a file or click on a link that infects computers, servers or networks with malware. Data is then locked down or encrypted until a payment is made; then, hopefully, the criminals behind the attack provide an encryption key.
Protecting your email is the frontline defense system against ransomware attacks. Companies can focus on a handful of interrelated solutions to help decrease the chances of emails compromising their system:
- Employ real-time scanning of all emails to help identify phishing and suspicious emails and links from questionable domains across email platforms and devices.
- Intelligent sandboxing solutions scan all attachments before they are delivered to recipients, minimizing the chances of ransomware attacks.
- Dynamic feedback alerts employees to potentially threatening emails, raising awareness and informing better decision-making.
- Email policies, employee training and running tests ensure that team members make smart decisions and complying with company IT procedures.
Ensure Employees Can Continue to Work During an Attack:
When a ransomware attack freezes your network and restricts access to data, productivity grinds to a halt. The losses can be staggering. One report from the Aberdeen Group estimates hourly losses ranging from $8,581 for small businesses to $686,250 for enterprises. Business continuity planning can keep your workers online and connected to email; with the right systems, employees and customers may be unaware that an attack is underway. Email continuity systems provide access to live and archived mail across devices, as well as contacts and calendars. Regular business operations can continue, while your IT team works behind the scenes to solve the problem.
Data Replication Capabilities:
When criminals want to take your data hostage, one of the best strategies you have to defeat them is your data replication strategy. Consider developing an archiving strategy that backs up your data from local drives – as well as third-party providers – in completely separate and unreachable files. Use systems and policies that disconnect backups from the main network after they occur.
Not only does this ensure that your data isn't lost or damaged during a ransomware attack, but it gives your organization a broader range of choices when dealing with the perpetrators.
The statistics for ransomware today can be daunting – and it quickly becomes apparent that no single solution can help companies prevent these malware attacks. However, cyber resilience is built on a layered strategy that prioritizes protecting your email, educating employees, creating viable data replication strategies, and keeping your business online during and after attacks. Mimecast's layered solution brings together email protection, business continuity and data replication capabilities into a single cloud solution that helps you protect against the threat of ransomware.
Contact us today to learn more.
What often impacts more than 100,000 computers a day, and can cost you thousands of dollars in remediation, downtime, and cleanup cost? Ransomware.
In a ransomware attack, you are literally held hostage and denied access to critical productivity tools and data like file servers, email, databases and more.
How’s an organization supposed to cope? Start with protecting the most prevalent ransomware delivery system - your email. Download this infographic to learn about the only cloud solution that combines prevention, business continuity and replication for email in a single solution.
Don’t wait. Protect your organization from ransomware now.
Adoption of Office 365 continues to grow rapidly, adding 50,000 customers a month, with Exchange email remaining the number one workload. At the same time, increasing regulation, litigation, and operational drivers necessitate the need for speedy, accurate and complete access to email data.
Email archiving has long been recognized as a key mechanism to meet these needs. Historically this was achieved on-premise alongside the mail server, but more recently has started to shift to the cloud in order to achieve economic and operational benefits. As email moves to the cloud, organizations must consider how to appropriately protect their data. Remembering that it’s their data, and responsibility ultimately sits with them to safeguard it, is critical.
With over 16% of Mimecast customers now using Office 365 for email, we’re often asked about what to look for in an email archive – specifically for protecting critical Exchange Online data. The following six critical considerations summarize the advice we give.
1. Email data should be immutable by default
All inbound and outbound mail, including detailed metadata, should be captured and stored automatically for all users – without the need for manual or scripted processes. A true enterprise-grade email archive should be designed from the outset as a long term, compliance-driven archive with immutable (WORM) storage and strong chains of custody. In this case, data cannot be modified or removed until the pre-defined retention period is reached.
A suitable archive allows for an independent, always-on, verifiable copy of data to be stored outside of the operational Office 365 infrastructure.
While Office 365’s in-place or litigation holds may satisfy some organizations’ requirements to preserve mailbox data, both were conceived to provide data preservation for active, ongoing litigation – not as a long-term immutable archive.
Mailboxes are not placed on litigation or in-place hold automatically - this is a manual task and can get inadvertently forgotten or misconfigured. Any mailbox content not on hold can be tampered with or deleted.
2. Search speed and consistency
The explosion in the amount of data stored by most organizations along with stricter regulation and increased litigation requires a suitable storage architecture to ensure rapid and accurate archive search results. A dedicated, cloud-based grid storage architecture is best suited to this task so that archive searches benefit from the aggregate power of all servers in the storage grid, together with a unified index, to deliver consistent results at superfast speed.
There should be no limit to the number of mailboxes that can be searched and the number of searches that can be run concurrently. E-discovery searches should not be impacted by email system downtime.
With Exchange Online, users are connected to a single server and data store. Large deployments likely mean multiple servers and data stores – each with its own index. Mailboxes are spread automatically across servers.
As a result, e-discovery searches could require access to hundreds of servers and indexes – potentially liable to inconsistent search results, e.g. server busy, server down, and incomplete index (e.g. unsupported file types, indexing errors).
Search speed is limited by individual Exchange server performance – each with multiple competing workloads. There are limits on both the number of mailboxes (10,000) and the number of e-discovery searches that can be run at the same time.
3. Minimize and limit specialized and manual admin tasks
Initial setup and ongoing administrator actions should all be managed through a single web-based graphical user interface (GUI). This negates the need for manual scripting which is more likely to result in misconfiguration and command errors that can result in significant data loss. Remember, humans are often the weakest link in the chain.
Organizations should also ensure that no single administrator should be able to change key archive policies such as retention duration. This could increase the chances of accidental or malicious actions having a potentially devastating impact.
There are certain admin actions in Office 365 that can only be achieved through PowerShell commands, such as applying a litigation hold to all mailboxes at once, or in-place hold to more than 500 mailboxes. Misconfiguration and errors are arguably more likely in these manual processes.
A single Exchange administrator can remove a hold.
4. Auditing must provide the details needed
Audit logs are vital to check and prove historical actions for both operational and legal purposes. Logs should be enabled by default and retained in perpetuity in order to ensure a complete record. The details logged must also be sufficient for the purposes they may be needed for. The logs should be held in a secure location accessible only to those with appropriate privileges.
In Office 365, auditing of admin actions is enabled by default and cannot be switched off. However, these logs are only kept for 90 days by default and do not include some actions, such as when messages are accessed or deleted, or the client or source details.
Mailbox audit logs must be manually setup and enabled per mailbox using PowerShell. These logs are stored in the target mailbox and could be deleted if the mailbox is deleted.
5. Seamless employee archive access from anywhere
The amount of critical data in email is growing rapidly, with archives increasingly used by employees as their primary repository to save and access important information. In fact, Gartner estimates that by 2019, 75% of organizations will treat archive data, including email, as an active data source.
Seamless and rapid access to this archive data from any device is, therefore, critical. Consistent access should be available via Outlook, the web, and mobile devices. Archive searches must be virtually instant to satisfy employee expectations. Almost 200,000 archive searches a month are made by Mimecast customer employees using the Mimecast Mobile app alone, demonstrating the importance of having easy access to archived content when out of the office. Mimecast offers an industry leading 7-second search SLA.
Microsoft provides archive access via Outlook, Outlook on the web, Mac and iPad only. There is currently no support for iPhone or Android – the two most popular smartphone platforms globally. There is no Office 365 archive search SLA offered.
6. Avoid mailbox lock-in
When archive data is held in a separate platform and location to operational email data, not only does this support compliance and regulatory requirements, it means that the primary mail platform can be changed without the roadblock of finding a viable way to extract data first (or risk losing it). It also provides continuity of access during mailbox migration projects.
Ask yourself. Will a move to Office 365 be the last time you change mailbox providers? Unlikely.
Office 365’s inline archive stores primary and archived mailboxes in the same single environment. With all email data in Office 365, it becomes more difficult to switch to another email environment – essentially leading to Office 365 lock-in. Tony Redmond, a Microsoft MVP and leading commentator expands on this situation in his article ‘Getting data into Office 365 is easy; not so straightforward to retrieve’.
Microsoft gives you 90 days to extract all your data before its permanently deleted following expiration or termination of an Office 365 subscription.
 Gartner Magic Quadrant for Enterprise Information Archiving, Nov 2014