I recently came across an interesting study from Cohesity regarding the prevalence of ransom payments following a successful cyberattack.  It turns out, nearly all respondents seem willing to make a payment if necessary, and extremely long recovery times are the primary motivator for this decision. This study shows a shocking vulnerability in the business world to a successful cyberattack. I’d go so far as to say that only 7% could be considered cyber resilient, based on their self-assessed ability to quickly recover business operations without paying a ransom.

The Cost of Compromise: Why Businesses Are Paying Ransoms to Hackers

The reality of the situation is that the threat of ransomware attacks looms large over businesses of all sizes. Cybercriminals are becoming increasingly sophisticated, launching attacks that can cripple organizations and hold their valuable data hostage.  Cyberthreat marketplaces have made their way on the web, making attacks easier than ever.  As a result, businesses are finding themselves faced with a difficult decision: pay the ransom or risk losing their data forever.

This post aims to shed light on the prevalence of ransom payments and the factors that drive businesses to make these difficult choices. By understanding the deficiencies in data recovery, analyzing the escalating threat of ransomware attacks, and exploring strategies to enhance cyber resilience, business leaders, IT and security decision-makers, and cybersecurity professionals can gain valuable insights into how to better protect their organizations and mitigate the impact of these devastating attacks.

Corporate Policy Says “Do Not Pay.” IT Decision Makers Say Otherwise

The research study commissioned by Cohesity sheds light on the prevalence of ransom payments among companies. The study, which polled over 900 IT and Security decision-makers, reveals that the majority of companies have paid a ransom in the last two years, despite having ‘do not pay’ policies in place. This highlights the urgency and severity of the cyber threat landscape, with companies feeling compelled to make payments to regain access to their data.

The study also indicates that the threat of cyberattacks is expected to increase significantly in 2024. Over 79% of respondents reported being victims of a ransomware attack between June and December, emphasizing the widespread nature of these attacks. Furthermore, 96% of respondents anticipate an increase in cyberattacks within their industry, with 71% predicting an increase of more than 50%. These statistics underscore the need for businesses to enhance their cyber resilience and strengthen their defenses against ransomware attacks.

The size and scope of an organization’s data environment play a crucial role in determining their attack surface. As data environments grow, the risk of data security breaches and ransomware attacks increases. Alarmingly, 78% of respondents in the study reported an increase in data security risk that outpaced the growth of their data. This highlights the need for businesses to prioritize data security and take proactive measures to protect their valuable assets.

Why are Companies Breaking Policy?  Data Recovery Deficiencies Show Organizations are not Cyber Resilient

Quickly restoring compromised systems and resuming business operations can be a complicated task.  It’s often cheaper and faster to just pay the ransom, and organizations are keen on minimizing publicity when they’ve been hacked and ransomed. Companies just do not have the overall cyber resilience and data security strategies in place to keep up with the current threat landscape.

In fact, only 21% of respondents expressed full confidence in their company’s cyber resilience strategy and its ability to address today’s escalating cyber challenges and threats. This lack of confidence is a significant concern, as cyber resilience is the backbone of business continuity. It determines a company’s ability to recover data and restore business processes in the event of a cyberattack or adverse IT event.

The survey revealed that every company faces cyber resilience and business continuity challenges. Consider expected recovery times cited by the respondents:

• All respondents stated that they need over 24 hours to recover data and restore business processes.
• Only 7% of companies reported that they can recover and restore within 1-3 days.
• 35% of companies stated that it takes them 4 to 6 days to recover
• 34% require 1-2 weeks
• 23% of companies need over 3 weeks to recover data and restore business processes.

These findings highlight a clear gap in cyber resilience, as companies are struggling to recover data and restore processes in a timely manner. Additionally, the lack of proactive measures is evident, as only 12% of companies reported stress-testing their data security, data management, and data recovery processes in the six months prior to the survey. Furthermore, a significant 46% of companies had not tested their processes or solutions in over 12 months. 

Given the lack of data recovery testing, can we assume the responses highlighted above are really accurate?  I doubt it.

Given the long time necessary to properly recover data and restore operations, it’s not surprising that 94% of respondents stated that their company would be willing to pay a ransom to recover data and restore business processes. Additionally, 67% of respondents indicated that their company would be willing to pay over $3 million, with 35% willing to pay over $5 million.

This research underscores the importance of being proactive in addressing cyber resilience deficiencies. It is crucial for executive management to take responsibility for enhancing cyber resilience within their organizations. Without a strong cyber resilience strategy, companies are vulnerable to cyberattacks and may find themselves resorting to ransom payments as a solution. To avoid these circumstances, companies must prioritize data security, cyber resilience, and business continuity in their IT security and cybersecurity strategies.

A Quick Look at Ransomware Attacks in the Education Sector

My research folder includes a relevant bit of information about ransomware attacks and the need for cyber resiliency within the education sector. I think that taking a close look at data here can illustrate the threats that all organizations in every industry have to deal with.

The education sector faces an alarming increase in ransomware attacks, with a staggering 84% surge in known attacks during the first six months of 2023. Educational institutions such as schools, colleges, and universities have become attractive targets for ransomware criminals due to the vast amount of valuable data they store, including student records, financial information, research data, and intellectual property.

These malicious cyber-attacks involve encrypting an institution’s sensitive data and demanding hefty ransom payments in exchange for restoring access. In the MalwareBytes report, researchers stated that there were 190 known ransomware attacks against educational institutions worldwide between June 2022 and May 2023. This highlights the severity and persistence of the threat faced by the education sector.

The primary motivation behind ransomware attacks on the education sector is financial gain. Attackers seek substantial ransom payments from institutions capable of responding and recovering. Surprisingly, despite having a “do not pay” policy, 90% of organizations in the education sector have paid a ransom in the prior two years. This alarming statistic underscores the urgent need for improved cyber resilience within educational institutions.

According to Brian Spanswick, Chief Information Security Officer and Head of IT at Cohesity, organizations cannot control the increasing volume, frequency, or sophistication of cyberattacks like ransomware. However, they can control their cyber resilience, which is the ability to rapidly respond and recover from cyberattacks or IT failures. This requires adopting modern data security capabilities.

The Role of the C-Suite in Cyber Resiliency

Executive management plays a crucial role in enhancing cyber resilience and protecting against ransomware attacks. However, a survey conducted by Cohesity revealed that only 35% of respondents believed that their senior and executive management fully understood the serious risks and daily challenges of data security. This lack of awareness highlights the need for greater understanding and accountability at the executive level.

The responsibility for data security should be shared among executive management, C-Level executives, and boards. Four in five respondents to the Cohesity survey stated that executive management and boards should share the responsibility for their company’s data security strategy. Additionally, 67% of respondents believed that their company’s Chief Information Officer (CIO) and Chief Information Security Officer (CISO) could be better aligned.

When asked about their biggest concerns regarding a successful data breach or cyberattack, respondents identified brand and reputational damage, a drop in share price/investment/profitability, a direct hit to revenue, and a loss of stakeholder trust. These concerns highlight the significant impact that ransomware attacks can have on an educational institution’s operations, finances, and overall reputation.

Human Resources can Help Make Organizations Cyber Resilient

Traditionally, HR has been overlooked in incident response planning, with organizations primarily relying on IT and security departments. However, this approach fails to recognize the unique skills and knowledge that HR professionals bring to the table. HR’s possesses a number of useful capabilities to help during a cyberattack.  They have communication skills, serve as a bridge between leadership and employees, they often develop and manage training programs, and their inherent expertise in handling sensitive worker data make them invaluable members of any incident response team.

LeeAnne Pelzer, consulting director of Unit 42 at Palo Alto Networks, a cybersecurity company, emphasizes the importance of integrating HR into the planning process. She states, “Too many times companies think only IT and security should be part of the incident response, but they overlook HR. In the middle of a response, organizations often realize just how important HR is, but by that point they’re usually scrambling or hitting communication bottlenecks because they didn’t integrate HR into the planning process.”

During a cyberattack, HR can fulfill critical responsibilities that align with their expertise. They can assist in communicating with employees, providing updates, and addressing concerns. HR can also play a crucial role in managing the aftermath of a cyberattack, including coordinating support services, facilitating the recovery of affected employees, and ensuring compliance with legal and regulatory requirements.

Perhaps more importantly, HR can help to create a proactive security culture within the organization.  Cyber Awareness Training is an inexpensive way to keep employees from falling victim to attacks like phishing and it’s more effective cousin, smishing.  By recognizing the role of the human element in cyber resiliency, many attacks can be avoided entirely.

Is Government Regulation the Answer to Improving Cyber Resiliency in Business?

In the previous section, we discussed the severe impact of cyberattacks and data breaches on various aspects of business operations, including continuity, revenue, brand reputation, and trust. It was emphasized that cyber resilience and data security should be a holistic organizational priority, as the use of data and technology permeates every function and is the responsibility of every employee.

To effectively respond to cyberattacks, organizations require modern data security tools and management solutions that not only protect their data, but also detect when it is under attack and recover it as quickly as possible to restore business processes. This is crucial in minimizing the damage caused by cyber incidents and ensuring a swift recovery.

One of the key findings from the research conducted by Cohesity is that existing customers, security teams, IT teams, employees, and third-party partners are the most impacted stakeholders in the event of a cyberattack or data breach. This highlights the widespread consequences of such incidents and the urgent need for robust cybersecurity strategies.

While governments and public institutions have made efforts to encourage stronger cybersecurity practices and data management, the research revealed that only 46% of respondents believe that government initiatives, legislation, and regulations are driving their companies’ data security, management, or recovery initiatives. This suggests that there is still work to be done in aligning regulatory efforts with industry practices.

However, for those respondents who did attribute their data security practices to specific government initiatives and regulations, several influential ones were mentioned. In the United States, regulations such as the California Consumer Privacy Act, the Federal Trade Commission Act of 1914, the Department of Defense’s Cyber Security Maturity Model Certification (CMMC), the Digital Millennium Copyright Act of 1998 (DMCA), the Sarbanes-Oxley Act of 2002, and the California Privacy Rights Act of 2020 (CPRA) were identified as key drivers. 

To Wrap Up

Ransomware attacks have become an all too common threat in today’s digital landscape, forcing businesses to make difficult decisions regarding their valuable data. The prevalence of ransom payments highlights the deficiencies in data recovery and the escalating threat that cybercriminals pose. However, by implementing strategies to enhance cyber resilience and taking executive management responsibility seriously, businesses can better protect themselves and mitigate the impact of these devastating attacks. It is crucial for organizations of all sizes to invest in robust cybersecurity measures, train their employees on best practices, and stay vigilant in the face of evolving threats. Only by doing so can businesses hope to navigate the cost of compromise and safeguard their data from the clutches of hackers.