Cyber resilience research commissioned by Cohesity reveals the true cost of ransomware to finances and business operations and why overconfidence may be the cause. The Cohesity Global Cyber Resilience Report 2024 surveyed over 3100 IT and Security decision-makers in eight countries on the impact of cybercrime and their abilities to withstand attack, showing an increase in threats and a trend towards ransom payments.
95% of UK respondents said cyber attacks were on the rise, a fact supported by more than half of UK respondents (53%) having fallen victim to a ransomware attack in 2023. This is a stark rise from the 38% of UK respondents that reported a ransomware attack in the previous year. 74% of UK respondents surveyed said they would pay a ransom to recover their data after an attack, and 59% of UK respondents had indeed paid a ransom in the previous year. Only 7% of UK respondents ruled it out, despite 2 in 3 (66%) having clear rules not to pay.
The readiness to pay a ransom highlights a mix of ignorance and overconfidence in recovering from a ransomware attack: 71% of UK respondents are confident in their company’s cyber resilience strategy and its ability to address today’s escalating cyber challenges and threats. However, recovery from ransomware is significantly more difficult than paying a ransom and assuming your data is simply decrypted and restored. This dichotomy begs the question, are the cyber resiliency and recovery plans of those surveyed genuinely fit for purpose?
“Once again, we see a gap between expectation and reality in recovering from a cyberattack,” said James Blake, Global Head of Cyber Resiliency Strategy at Cohesity. “We live in a ‘when’ not ‘if’ world, and it appears many IT and security professionals are confident in their ability to recover data only when they pay the ransom. Paying a ransom rarely results in the recovery of all data. It brings its own logistical challenges and potential criminal liability for paying sanctioned entities - not to mention rewarding criminals. It’s time to really focus on resiliency and end the cycle.”
Costs of Ransomware
The costs can be staggering: UK respondents paid an average of £870,000, with two respondents paying between £10 million and £20 million. On a global basis, Cohesity’s data reveals that 5% of companies had paid upwards of £10 million, with one organisation surveyed admitting to having paid over £20 million in ransom. According to Chainalysis, ransom payments were estimated to amount to at least $1.1 billion in Bitcoin in 2023.
The problem is not contained to the UK. In fact, the UK is well below the global average. Cohesity’s global data revealed 67% of respondents had fallen victim to a ransomware attack in the previous 12 months, with France the most affected at 86% of respondents. Globally, a staggering 83% would pay the ransom – again, France was the highest, with 97% of respondents admitting they would pay. Interestingly, the data shows a clear correlation between countries that would pay a ransom, and those reporting the highest incidents of ransomware attacks and an increase in cyber threats.
Consequences of paying a ransom
The trend towards relying on ransom payments also shows a disturbing ignorance of the long-term effect of rewarding criminal gangs and in the immediate recovery of data following a ransomware attack.
Enabling gangs to profit from their crimes only exacerbates the problem by turning ransomware into a business, attracting more players, and allowing investments into resources, thereby increasing the threat.
Data also shows that only 4% of respondents recover all their data, while the value of the data recovered is a complete lottery. Likewise, it is a logistical nightmare because the distribution of keys from the ransomware gangs is a rushed, haphazard process that is never engineered for quality and reliability. Organisations often take months to recover and may not have patched vulnerabilities, leaving a backdoor open for further ransomware attacks. Not only this, but making payments may be illegal in some cases and often voids insurance policies, while being totally unethical.
Cyber resilience – defined as a company’s ability to recover their data and restore business processes after a cyberattack – remains a clear challenge: less than 2% of respondents could recover data & restore business processes within 24 hours; 1 in 4 (23%) could recover within 1-3 days; while 19% need anything from 3 weeks to 2 months. This highlights another failure to test security and recovery sufficiently: just 70% of UK organisations surveyed had stress-tested their data security, management, and recovery processes in the previous 12 months, compared to a global average of 87%.
“Cyber resilience is critical because the incentive and motivation of attackers are so high, with attack surfaces incredibly vast, so a reliance on protective controls is unrealistic,” said James Blake. “Destructive cyberattacks severely disrupt an organisation’s ability to deliver its products and services, impacting revenue, reputation, their downstream supply-chain and customer trust. This risk must be at the forefront of business leaders’ priorities, not just IT and Security leaders. Similarly, regulation and legislation should not be seen by companies as the ‘ceiling,’ but instead the ‘floor,’ in both developing cyber resilience and adopting data security or recovery capabilities.”