TL;DR

Ransomware and supply chain breaches now cost businesses an average of $5.08 million per incident in 2026, with US companies facing costs exceeding $10.22 million on average. Capita paid a record £14 million ($18.7 million) fine after a 2023 breach exposed 6.6 million people's financial data; CNA Financial paid a $40 million ransom settlement in 2021; and supply chain compromises cost 17 times more to remediate than direct attacks. Most of these losses were preventable with basic controls: multi-factor authentication, air-gapped backups, and third-party risk assessments.


The Staggering Price Tag of "It Won't Happen to Us"

The numbers are no longer abstract. In 2026, the global average cost of a ransomware breach sits at $5.08 million according to IBM's latest Cost of a Data Breach report. US businesses fare even worse — the average breach now exceeds $10.22 million. Total global ransomware damage is projected to hit $74 billion this year, according to Cybersecurity Ventures. Behind every statistic is a real company that assumed it was protected enough. Here are three cases where that assumption cost millions.


Capita: The £14 Million "No Evidence" Mistake

What happened: In March 2023, the UK's largest outsourcing firm Capita suffered a ransomware attack. The company initially stated publicly there was "no evidence of customer, supplier or colleague data having been compromised." That statement turned out to be catastrophically wrong. Attackers exfiltrated the personal data of 6.6 million people — including names, addresses, dates of birth, credit card numbers, and CVV security codes.

The bill: In 2025, the UK's Information Commissioner's Office (ICO) fined Capita a combined £14 million ($18.7 million). This was the largest fine ever issued by the ICO in a ransomware case and was reduced from an initial £45 million ($60 million) penalty. The ICO received complaints from individuals whose bank accounts had been drained as a direct result of the stolen data.

How it could have been prevented: The ICO's investigation found Capita "lacked the appropriate technical and organisational measures to effectively respond to the attack." Basic segmentation of its pension systems from the rest of the corporate network would have contained the blast radius. Encrypting financial data at rest would have rendered the stolen credit card numbers useless. A tested incident response plan — and honest breach disclosure from day one — could have reduced the regulatory penalty substantially.


CNA Financial: A $40 Million Ransom Settlement

What happened: In March 2021, CNA Financial — one of the largest insurance companies in the United States — was hit by a ransomware attack. The attackers, reportedly demanding $60 million, encrypted corporate data and threatened to leak it publicly.

The bill: CNA paid $40 million to the attackers. This remains one of the largest confirmed ransomware settlements on record. The payment didn't include the additional costs of system restoration, forensic investigation, legal fees, regulatory scrutiny, and reputational damage — costs that typically double or triple the visible number.

How it could have been prevented: The median ransom payment has surged from under $199,000 in early 2023 to $1.5 million by mid-2024, but the largest payment on record — $75 million by an undisclosed Fortune 50 company to the Dark Angels group — shows attackers are getting bolder. CNA's case highlights the value of immutable, air-gapped backups tested regularly. If a company can restore operations without paying, the attacker's leverage vanishes. CNA, as an insurer, also should have had the most hardened security posture in the room — a painful irony not lost on the cybersecurity community.


The Supply Chain Multiplier: 17x the Damage

What's happening: IBM's 2025 report confirms that supply chain compromises now cost 17 times more to remediate than direct attacks. The average time to identify and contain a supply chain breach is 267 days — nearly nine months of attackers moving laterally through trusted vendor relationships before anyone notices.

The attack surface is every vendor with network access, every software dependency in your stack, every third party that processes your data. Gartner had predicted that by 2025, 45% of organizations would experience attacks on their software supply chains. The reality has validated those warnings.

The bill: Healthcare is the hardest-hit sector, with breach costs averaging $11.2 million. When a healthcare supply chain vendor is compromised, patient data from dozens of downstream providers can be exposed simultaneously — multiplying the cost for everyone involved. Stolen credentials remain the most expensive attack vector, taking an average of 292 days to resolve.

How it can be prevented: Vendor risk assessments aren't a one-time checkbox. Every third party with access to your systems needs ongoing monitoring. The NIST Cybersecurity Framework and ISO/IEC 27001 provide structured approaches to supply chain risk management. Technical controls — API access restrictions, network segmentation, least-privilege access — prevent one compromised vendor from becoming every vendor's problem.


What Your Business Should Do This Week

These aren't hypotheticals. The same attack patterns that cost Capita £14 million and CNA $40 million are scanning your network right now. Here are three actions you can complete by Friday:

  1. Test your backups. Not "check that the backup job ran." Actually restore a critical system from backup to verify the data is intact and the process works. If your backups are on the same network as production, they're not backups — they're another target.

  2. Enable multi-factor authentication everywhere. Stolen credentials are the costliest attack vector. MFA on every external-facing service — email, VPN, cloud consoles, remote desktop — stops credential theft from becoming a breach. This is the single highest-ROI security control available.

  3. Audit your third-party access. List every vendor, partner, and contractor with network access, API keys, or data processing agreements. For each one, ask: what's the minimum access they actually need? Remove everything else. Supply chain attacks multiply costs 17x; shrinking the vendor attack surface shrinks that multiplier.


FAQ

Q: My business is small — are we really a target?

A: Yes. Attackers automate their scanning. They don't care about your revenue — they care about whether your door is unlocked. The average ransomware recovery cost (excluding ransom) dropped to $1.53 million in 2025, but that's still an extinction-level event for most small businesses. Criminals know this and price their ransom demands accordingly — often set at what your cyber insurance policy will cover.

Q: Should we pay the ransom if we get hit?

A: The data says no. In 2024, total crypto ransom payments tracked by blockchain analysis fell 35% year-over-year to $813 million — not because attacks decreased, but because more organizations are refusing to pay. Law enforcement agencies including the DOJ and ACSC strongly advise against payment. Paying also marks you as a repeat target. Invest in restoration capability instead.

Q: What's the single most effective thing we can do with a limited budget?

A: Multi-factor authentication plus offline backups. MFA blocks the most common initial access vector (stolen credentials). Offline backups remove the attacker's negotiating power. Together, they cost almost nothing compared to the average breach.

Q: How long does it take to recover from a ransomware attack?

A: The average time to identify and contain a breach is 267 days according to IBM's data. Full operational recovery often takes months beyond containment. The businesses that recover fastest are the ones that practiced their incident response plan before they needed it.


Conclusion

Capita's £14 million fine. CNA's $40 million ransom. Supply chain compromises multiplying damage 17-fold. These aren't edge cases — they're the new normal. The companies that survived these incidents didn't have exotic security tools. They lacked the fundamentals that cost almost nothing to implement: tested backups, MFA, and visibility into who has access to what.

Don't wait for the breach to find out what your security gaps actually cost. The average breach in the US now exceeds $10 million. For a mid-market business, that's not a line item — it's the end of the company.

Visit lil.business/book for a free cybersecurity assessment. We'll help you identify the gaps before someone else does.


References

  1. IBM Cost of a Data Breach Report 2025
  2. ICO Fines Capita £14m Over Ransomware Data Breach 2023
  3. Fortinet — Recent Ransomware Payments and Settlements (CNA Financial, Colonial Pipeline)
  4. Cybersecurity Ventures — Ransomware Damage to Cost $74B in 2026
  5. Programs.com — 2026 Ransomware Cost Statistics
  6. CyberLab — Supply Chain Risk in 2026

Need to prove security trust?

Start with qualified triage. We verify authority, minimise access, define scope, and focus on evidence that helps with insurers, customers, tenders, boards, auditors, and AI governance reviewers.

Start Qualified Triage