We all know that the damage done by ransomware doesn’t just end at downtime. Recovery can be a lengthy process, driving up costly bills that organisations are left to foot. In just the last year alone, ransomware attacks cost organizations globally an estimated $57 billion, a figure that’s expected to not just double, or triple, but quintuple to $275 billion by 2031. And no matter how good your cybersecurity is, ransomware attacks will continue to be a question of ‘when’, rather than ‘if’.
While you can never completely prevent incoming ransomware attacks, you can adjust how you respond. What if instead of panicking and scrambling to carry out a half-formed, siloed plan, you had a tried-and-tested recovery plan that worked like clockwork? How you answer this question will have a major impact on just how much your recovery costs. Do you have backups in place (or is a ransomware payment on the cards), is any data lost permanently, and how long are your operations offline? Being able to answer all these questions confidently is what will shift your recovery from good to great – and more importantly, will keep those costs minimal.
So how can you address this and trim down that bill?
Ransomware tab bigger than you expected?
Before any action can be taken, organizations first need to understand how they got here. In the past, the responsibility for cyber resilience and ransomware would have sat squarely in the hands of the security team. But in today’s digitally connected world, the responsibility for ransomware protection and recovery needs to extend further.
Despite this, many organizations are yet to get the memo. In fact, over half of organizations reported last year that they needed a significant overhaul of their IT operations and security team alignment.
They continue to keep all their ransomware recovery planning within the security team, meaning that when attacks do occur, they’re left scrambling to coordinate with the rest of the organization. The result? Deadly misalignment that drags out recovery times – and costs.
Take the spate of high-profile retail ransomware attacks across the UK last year. After the dust had settled, the numbers were tallied up, with estimated costs just shy of half a billion. This wasn’t just due to the IT costs; it was a result of the lengthy downtime the incident caused, with services across the business left out of action, or significantly reduced for months afterwards. It’s not that these organizations didn’t have recovery plans; it’s that they couldn’t implement them fast enough. And in a ransomware attack, time is quite literally money – the highest direct cost of downtime is lost revenue.
And these costs aren’t just exclusive to the UK. While that spate of retail attacks may have grabbed international attention, figures newly released by the FBI show that in the US alone, reported instances hit a record high of over 1 million. And the resulting financial losses totalled $20.8bn last year, up from $16.6bn in 2024. But often, the effect of downtime itself can be even more costly. Take the recent hack of Canvas, a learning management system, for example, which left students across the US, Canada, and Australia facing confusion and major disruption right in the middle of their end-of-year exam season as the platform remained offline for hours following the initial attack. Again, it’s not that there wasn’t a recovery plan in place; it’s that it wasn’t implemented fast enough to prevent disruption.
On paper, your IT, security, and infrastructure teams might have interconnected plans, but if your security team is the only one regularly testing and refining their plans, then those connections will fail. In practice, these teams might well be trying to work together, but security teams will likely be left trying to pick up all the slack, and there’s only so much that a security team can handle. Despite their best efforts, it will have a knock-on effect on downtime and overall recovery time.
This disconnect has already been recognized by regulations such as NIS2 and DORA across the EU, which both place increased responsibility for recovery and resilience on the shoulders of senior leadership, not just security teams. The U.S. Securities and Exchange Commission has also introduced similar rules to align cybersecurity, requiring management and board members to be involved. So why wait?
An investment that pays for itself
Admittedly, it is easier said than done to align ransomware recovery across all your relevant business teams. But it’s worth the effort. You might spend big on the best-in-class security and recovery tools, but they don’t define your resilience – it’s all about how you use them. Technology needs to be aligned with wider business strategy, your people, and your processes. Yes, invest in high-quality tools, but don’t neglect investment in your training and preparation. It’s not about throwing more money at the problem; it’s about spending it in the right place.
Spreading investment more evenly across the board might end up costing you a little more in the short term, but done right, it’s an investment that won’t just pay for itself; it’ll drive additional revenue too. We’ve already seen that organizations with better resilience, characterised by this approach, don’t just perform better on paper; they perform better in profits too, with a 10% higher average revenue growth rate. Organizations with mature resilience don’t just recover 30% faster from ransomware, but their downtime costs are 2x lower on average. The way forward is clear – organizations just need to take that first step.
Closing your tab
Unless organizations change their approach to ransomware recovery, these costs will keep mounting. Ultimately, your security stack can only get you so far without empowered teams and standardized execution of resilience measures to match. Otherwise, in times of crisis, you’ll be scrambling to respond when you should be acting decisively.
It can be hard to know where to start, but tools such as Data Resilience Maturity Models can help here. They assess your current levels of preparedness and produce practical guidelines to turn your current tools and your talented teams into a fully aligned ransomware recovery strategy. Tying your resilience directly into business strategy to ensure threats are anticipated, governance is enforced, and compliance is met and maintained. And most importantly, ensuring that you’re not spending more on ransomware recovery than you need to.
