The high cost of cyber attacks. The report shows that most companies pay
Indigo Books & Music is still racking up the staggering cost of a ransomware attack that temporarily paralyzed its e-commerce platform, failed to process payments in its stores for three days, and took its website offline about a month earlier this year.
The retailer lost $42.5 million in its most recent quarter, $19 million more than the same period last year, and said last week that while it doesn’t have an exact figure, most of that extensive loss was due to the cyberattack. .
Indigo refused to pay a ransom to the criminals who used a type of software called LockBit to illegally access its network, saying it could not be certain that the ransom payment would not end up in the hands of terrorists or others on sanctions lists. ”
But according to a new report from law firm Blakes, the majority of Canadian companies hit by ransomware attacks do pay — and that ransom is costing companies far more now than in years past.
Ransomware attacks occur when hackers use malware to break into companies’ IT systems, lock or steal information, and then demand a ransom for its return.
In the fourth edition of an annual report on cybersecurity trends, Blakes said that by 2022, two-thirds of companies hit by ransomware attacks would eventually pay, up from 56 percent in 2021.
The median ransom paid was $546,000, a sharp increase from $100,000 two years earlier.
“The threat actors — the bad guys — are getting quite sophisticated in their attacks,” said Sunny Handa, a partner at Blakes who leads the company’s technology practice.
“They take a lot of data, they target sensitive data and they publish that data… they (also) hunt the backups and they destroy backup systems.”
Handa, who acts as an “infringement attorney” and advises clients on how to respond to cyberattacks, said that once hackers have encrypted a company’s networks, “you can’t really run your business.”
Cyberattacks on companies have become an industry
“So that also forces people to pay the ransom because otherwise they lose days, weeks, months of operations.”
The dollar value of the ransom keeps increasing, he says, in part because it’s become an industry.
“(The hackers) are investing a lot more and they realize there’s a market here where people are willing to pay, so they’re asking for more.”
Blakes bases his report on cyberattacks made public by publicly traded companies on the Toronto Stock Exchange, as well as information from his own clients, citing the “large number of breaches handled by Blakes’ cybersecurity team.” It tracked breaches from September 1, 2021 to December 31, 2022.
Handa said the report does not represent every data breach in Canada, but is intended to reflect trends in the space.
It’s unclear exactly how many incidents there are each year — many companies never disclose cyberattacks — but he estimates the number is in the thousands.
The financial blow companies face when faced with a data breach is not limited to paying a ransom, Handa said.
First, there’s the “hard cost” of paying someone like him, a forensic team, and communications professionals. Then there’s the “opportunity cost” of lost business and the public relations your company can incur.
In Indigo’s disclosures last week, it said it spent $5.2 million on costs to respond to the ransomware attack, including legal and professional fees, “costs for data recovery, hardware and software recovery, and incremental inventory scrap,” among other things.
In addition, the company said the attack meant it was unable to process sales and also caused significant operational disruption.
Indigo said it has cyber insurance and is working with its insurer to make claims under the policy, but expects a time lag between costs incurred and any insurance proceeds it will receive.
Last week, Calgary-based Suncor was hit by a cyberattack that the company says will likely cost it millions of dollars.
Canada’s electronic spy agency, the Communications Security Establishment, also revealed in its annual report last week that it blocked 2.3 trillion “malicious actions” against the federal government in the past fiscal year.