The Cost of Downtime: Lessons learned from a Ransomware Attack.

The Cost of Downtime: Lessons learned from a Ransomware Attack.

Stressed Business WomanThe Cost of Downtime: Lessons learned from a ransomware attack.

It is unfortunate that it takes a disaster to implement a plan.

With the rise of cyber-attacks, it’s not a matter if you will be targeted, but when. It’s a common belief that early stage businesses are “too small” to be a targeted for an attack.

Taking a look at some statistics we find the following:

A colleague of mine (who I will call Larry) was hit by a ransomware attack. He arrived mid-day to find his office almost shut down while his IT consultant was restoring data from the previous day’s backup to the server. Larry was very lucky. If certain events did not go his way, he may have fell into that second statistic. The office’s PC and network infrastructure was offline for 8 hours while the consultant restored data and hunted down and removed the infections.

If you factor the hourly rate of the consultant at $100/hr, we are looking at an $800 bill for his services.

If you calculate the downtime of his staff not being 100% productive for 8 hours, we can estimate anywhere from $2000 to $3000 on just wages.

So our downtime calculated so far is in the range of $2800 – $3800 for the unfortunate incident of clicking on the wrong email or landing on the wrong website. When we take a deeper look at downtime costs, we have not included lost opportunity costs such as billable hours or lost sales. Other factors to consider beyond the duration of the actual downtime is lost productivity costs based from the attack. For example, a bookkeeper may have to re-enter and rebuild previous transactions back into the accounting system. Based on how much data has been impacted or lost between backups is another significant cost to consider. When you search online for downtime calculators, there are plenty to choose from. The bottom line is that the actual cost per attack now becomes closer to or exceeds the figure stated in the first statistic listed above.

Lessons Learned and 5 Steps to Prevent Cyber-Attacks:

Lesson 1: Have Proper and Fast IT Support

Once the ransomware was detected, The IT consultant dropped everything and was on route to the office. If you don’t have internal IT support and rely on a 3rd party provider such as a consultant or a MSP (Managed Services Provider), ensure they have adequate staff and appropriate SLAs (Service Level Agreements) to deal with such an emergency. The last thing you need to hear is that they are tied up elsewhere. IT Support should also be on top of update patches for applications as well as the operating systems. Malware and viruses typically exploit these vulnerabilities.

Lesson 2: Ensure you have a Solid Backup Process

Your backup is your first layer of defense. If all else fails, you should be able to rely on your backup. You should also have an offline backup. Larry had a removal hard drive attached to the server which he removed nightly and placed in a safe. If Larry forgot to remove the hard drive from the server, certain ransomware variants are able to infect those drives as well. Implementation of an automated cloud backup makes this job easy and removing any “human error” in case one forgets to change/remove drives. NOTE: Any backup operation ALWAYS requires due diligence by periodically testing the restoration process.

Lesson 3: Get a Next Generation/Unified Threat Management Firewall

According to AV-Test, “The total number of malicious programs found in the wild will surpass the half billion milestone this year.” That’s more than double from 3 years ago. A lot of small business have routers from their internet service provider (ISP) that acts as their firewall. We need to take steps to counter these threats by employing more robust devices. Next Generation Firewalls (NGFW) have advanced functionality that can appropriately inspect/filter incoming and outgoing data plus a wide range of other applications. Gateway anti-virus and spam blocking are the most popular features. NG or UTM firewalls have come down in price and are no longer exclusive to large enterprises.

For example, the WatchGuard T30-W Firewall appliance is designed for small business and runs for about $1075. As many may feel that this may be a bit pricey, I believe it’s a small investment. As we now know how much one incident costs.

I recommend WatchGuard firewall products for their price/performance ratio as well as ease of use. Click here for a review on the T30-W from SC Magazine.

Lesson 4: Have Upto Date Endpoint Security Protection

It is always essential to keep your PCs and laptops updated with the latest security software. This layer of security is just as important as the firewall since a threat can bypass the firewall if its carried in by a USB stick. Most security software vendors work round the clock to keep their virus signatures up to date. Due to how current trends in how malware and viruses can be quickly re-compiled to bypass signatures, I recommend Webroot’s SecureAnywhere products. Webroot manages the processes on the device through a cloud based scanning engine. If a malware executes on a PC, SecureAnywhere can instantly stop the malware from causing any harm. SecureAnywhere received PC Magazine’s Editor’s Choice award in April.

Lesson 5: Training for Staff

In the past, security and or awareness training was minimal to non-existent at best. Staff did not really need to be trained to be on the lookout from a “Nigerian prince”. Today that has changed. Phishing emails target end user staff by tricking them into clicking on an attachment or sending information to even performing wire transfers. In Larry’s case, staff was quick to recognize the issue, call the consultant and turn off machines to prevent the infection from spreading further. Companies like KnowB4 have awareness training programs where they can test staff against phishing attacks.


If a business implemented all of the above recommendations, there is still no guarantee that you can escape an attack. No one can guarantee that. That is why your backup will always be your first (or last depending on your perspective) line of defense if an attack is successful. However, if the investment in all these tools stop that ONE attack, you probably have achieved your ROI. In a recent blog, I mentioned how SMBs need to review their IT, not only to be compliant with industry standards like PCI, but to be competitive as well if that organization needs to share information with other partners or clients. I also predict that having a NG or UTM based firewall is going to be a standard within the next few years for compliance and insurance requirements.

For more information about how BIT can help develop your security solutions from gateway to endpoint, give us a call.



Image courtesy of Ambro at

Need Help?