...you won't be shocked to find out what statistic increased by 40X but man is this is serious.

Hi. I'm Jon Fedor and this is InCyber Regular, edition 18. Let's get into it.

At InCyber I talk about cyber-related issues and security-awareness for smaller enterprises, the cyber-curious, and the security-conscious. Sometimes we talk tactics, sometimes theories; always, security.

Today: The market value of ransomware in one tweet

Why do you pay more for ransoms than pen-testing?

Most people are happy are over-the-moon-like-a-cow happy if they can get a 10X return on anything (time, money, investment, Starbucks beverage...etc).

I hope you're sitting down. Turns out the average demand for ransomware has increase from $5,000 in 2018 to > $200,000 in 2020. Antivirus publisher, Emisoft released these stats and distributed asprin along with them to protect against heart attacks. Especially because that figure is *very* likely to increase in 2021.

That's a 40X increase in demand price. And that's just working from the *averages*.

So here's the good news! Penetration testing tends for a network or set of devices etc tends to be less than $100,000. Usually closer to $50k a pop.

So why are we paying $2-3-4-500,000 for a ransom when we could be paying 50% or less for a pen test to, theoretically, protect against a hack?

Here comes SwiftOnSecurity with the answer (assisted by Drake)

"Ransomware costs more because it produces more change than a PDF."

oof.

Change vs Compliance

I went through a pen-test engagement once. I was working with a global manufacturer and we brought in one of the Big Four to do a pen-test on a set of devices we were bringing to market.

We shipped the researchers hardware, they shipped us a 60-page PDF report, and we paid Mr. Big Four $60k.

But why?

Sure it's good standard practice when bringing an industrial device to market...I guess (?).

We did it because we needed to perform a pen-test on the device to get one of the other international certifications Global Manufacturer wanted standard on all its white-labeled hardware.

Cool cool...cool cool cool.

But did this pen-test improve the project at all? Did we make any design changes? Not really. It was all about compliance.

The point SwiftOnSecurity is making is that if you get hit with ransomware, your entire organization changes. You shine light in all dark corners, train all your employees, unlock the magical key of emergency capital investment, and more!

A PDF will not produce this type of change.

Price vs Value

Economists will be the first to tell you that the price of a good or service isn't the same as its value. Value is intrinsic whereas price is just the market-rate for that good or service.

Yawn. Are you still awake?

If so, we can see the point here.

How much actual value is there in a PDF? It's ones and zeroes.

How much value is there in your organization working to recover from a ransomware attack and transforming parts of how you do business in order to protect against future attacks? Is it cliche to say, "priceless?"

Change is hard for everyone. It's always annoying and usually painful. Is a PDF annoying or painful? Even when it's budgeted into the cost of a project at $60k, it's really not.

Something to think about today.

Thanks!

Hanging with you every week is the highlight of my week! Thanks for being here.

If you ever have questions on personal digital security, cyber security news, a story you want to tell, or a favorite resource to share (etc) reply back and let me know!

Last week a few of you responded back and sent me interesting information and articles - thank you! Keep 'em coming and I'll feature you in future editions!

Have a good'un, Good Lookin'.

~ Jon "Maybe-You-Need-To-Be-Hacked" Fedor