How to Calculate Your Organization's Ransomware Risk


By Aaron Piper, Sr. Cybersecurity Engineer, CIS Critical Security Controls


Ransomware continues to be a major concern, remaining both a prevalent and impactful type of attack. During the first eight months of 2023, the Multi-State Information Sharing and Analysis Center (MS-ISAC) observed a 51% increase in the number of ransomware incidents affecting U.S. State, Local, Tribal, and Territorial (SLTT) government organizations compared to the same period in 2022. At least some of those incidents were double extortion attacks; cyber threat actors (CTAs) used both data encryption and data exfiltration to pressure victims into paying a ransom.

Given the nature of ransomware, you want to be proactive by calculating the risk that ransomware poses to your enterprise. In estimating the potential impact and likelihood of a ransomware attack, you can determine whether your current level of risk is acceptable and/or whether you need to do more to protect yourself. There's just the issue of getting started, which isn't always straightforward.

In this blog, I’ll discuss the challenges that you might face in calculating your enterprise's ransomware risk. I’ll then identify a resource from the Center for Internet Security (CIS) that can help you going forward.

The Many Faces of Ransomware Risk

It can be daunting to consider all the ways that ransomware can affect your enterprise. Let's visualize just a few of these impacts so that you can better appreciate what's at stake.

An Expensive Recovery Process

If you experience a ransomware infection, you could face an expensive recovery period due in part to several hidden costs. For instance, depending on your cybersecurity maturity and the nature of the attack, you might need to hire a third-party security firm to review your ransomware defenses and recommend changes going forward. You might also need to hire crisis communications professionals who can coordinate your strategy for communicating with customers, vendors, suppliers, and/or other parties whom the attack might have affected. Those costs don't include the hours that your teams would spend on remediating affected workstations and restoring data from backups.

Data Loss – Even When You Pay

You might think that you can recover your enterprise's data by paying the ransom in the worst case. But that's not what happens most of the time. In a 2022 report, Cybereason found that just 42% of victims who paid the ransom were able to restore all their systems and data. That's down from 51% in the previous year's report. What's more, more than half (54%) of survey participants said that system issues and/or data corruption persisted even after decryption – up from 46% in 2021. 

Disruptions to the Business

Both expensive recoveries and data loss resulting from a ransomware attack can disrupt your enterprise's operations. Specifically, nearly a third (31%) of participants in Cybereason's 2022 survey said that they had no choice but to temporarily or permanently halt operations after a ransomware attack. Slightly more participants (35%) said that their enterprises experienced a period of C-suite resignations following a ransomware incident. The incidence of layoffs after an attack was even higher for enterprises at 40%.

Bridging the Gap to Business Risk

All of the costs discussed above are difficult to calculate without the proper level of support. Fortunately, you don’t need to do this on your own. You can use our CIS CSAT Ransomware Business Impact Analysis tool.

While evaluating ransomware risk may seem like an overwhelming problem, the tool helps break it down into smaller, more manageable pieces. From response and asset replacement to legal costs and reputational damage, the tool walks you through multiple loss categories and sub-categories, helping make sure you don't miss important impact considerations.

By focusing on the ransomware-related CIS Safeguards (as defined in the CIS Community Defense Model), the tool helps you to estimate the likelihood of experiencing a ransomware attack and focus on those Safeguards that can offer the greatest protection against ransomware. With v1.1.0 of the tool, you can use v7.1 or v8 of the CIS Critical Security Controls (CIS Controls) for an assessment. Such flexibility helps you calculate your risk of experiencing a ransomware attack in a way that aligns to the underpinnings of your cybersecurity program

Finally, the tool uses all this information to create a downloadable report that summarizes your potential impact and likelihood of a ransomware attack. You can then use that information to help justify additional resources if your ransomware risk is at an unacceptable level.

Want to learn how a subset of the CIS Controls can help you defend against a ransomware attack? Check out our video below.


The Beginnings of Individualized Ransomware Defenses  

Regardless of your industry or goals, you need to account for ransomware in your risk planning. Our CIS CSAT Ransomware Business Impact Analysis tool provides you with a means of calculating your ransomware risk using the CIS Controls v7.1 or v8. With that information, you can then plan out and implement anti-ransomware measures that make sense to you and your enterprise.