Ransomware Research Reveals Millions Spent Despite Do Not Pay Policies


Research commissioned by Cohesity, a leader in AI-powered data security and management, reveals the majority of companies are paying ransoms and breaking their ‘do not pay’ policies. The research polled from over 900 IT and Security decision-makers, 301 from the UK, shows that companies operate in a ‘when’, not ‘if’, reality of cyberattacks. Nearly all companies polled, a staggering 97% in the UK, have paid a ransom in the last two years, and the vast majority expect the threat of cyberattacks to increase significantly in 2024 compared to 2023.

Alarmingly, 8 in 10 (83%) respondents said their company had been the ‘victim of a ransomware attack’ between June and December. The cyber threat landscape is expected to get even worse in 2024, with 95% of respondents saying the threat of cyberattacks to their industry will increase this year, and 7 in 10 predicting it will increase by more than 50%.

Organisations’ attack surfaces are defined by the size and scope of their data environments. However, 74% of respondents said their data security risk has now increased faster than the growth in the data they manage. Respondents also believe organisations’ cyber resilience and data security strategies are not keeping up with the current threat landscape, with just 25% having full confidence in their company’s cyber resilience strategy and its ability to ‘address today’s escalating cyber challenges and threats’.

Slow Data Recovery & Lack of Cyber Resilience Results Ransom Payments 

Cyber resilience is a technology backbone for business continuity. It defines companies’ ability to recover their data and restore business processes when they suffer a cyberattack or adverse IT event. However, according to respondents, every company has cyber resilience and business continuity challenges:

  • All respondents said they need over 24 hours to recover data and restore business processes
  • Just 10% said their company could recover data and restore business processes within 1-3 days
  • 38% said they could recover in 4 to 6 days, and 34% need 1-2 weeks to recover
  • Alarmingly, almost 1 in 4 (24%) need over 3 weeks to recover data and restore business processes

Further demonstrating cyber resilience gaps, just 12% said their company had stress tested their data security, data management, and data recovery processes or solutions in the six months prior to being surveyed, and 46% had not tested their processes or solutions in over 12 months.

A huge 97% of respondents said their company would pay a ransom to recover data and restore business processes, while 5% said ‘maybe, depending on the ransom amount.’ Almost three quarters (73%) said their company would be willing to pay over £2.4 million to recover data and restore business processes, with 39% of respondents saying their company would be willing to pay over £4 million. The research also showed the importance of being able to respond and recover, as 9 in 10 (97%) said their organisation had paid a ransom in the prior two years, despite 94% saying their company had a ‘do not pay’ policy.

“The figures in the survey show huge deficiencies in an organisation’s ability to achieve the required recovery times to avoid significant disruption”, said James Blake, Global Head of Cyber Resiliency GTM Strategy, Cohesity. “Many organisations also said they would pay a ransom to reduce disruption. Paying the ransom almost certainly results in a loss of some of the data. Not to mention we’ve seen the UK sanction ransomware operators, the last thing senior management need after dealing with a ransomware attack is the prospect of a huge fine or custodial sentence for breaching sanctions.”

Executive Management Should Be Accountable for Data Security Risks & Attacks

Respondents identified executive awareness and responsibility for data security as two areas for companies to improve, with just 31% saying their senior and executive management fully understands the ‘serious risks and daily challenges of protecting, securing, managing, backing up, and recovering data.’ Four in five said executive management (C-Level) and boards should share the responsibility for their company’s data security strategy, while 64% said their company’s CIO and CISO, in particular, could be better aligned.

Prioritising their biggest concerns about a successful data breach or cyberattack, respondents selected brand and reputational damage (33%), long-term operational outcomes and projects (31%), a direct hit to revenue (31%), and a loss of stakeholder trust (30%). When asked who is most impacted by a data breach or cyberattack, respondents said existing customers (31%), the Security team (28%), the IT team (28%), employees (28%), and their third-party partners (28%) were most impacted.

“Cyber resilience and data security should be a holistic organisational priority because the use of data and technology occurs in every function by every employee. The severe impact of a successful cyberattack or data breach on business continuity, revenue, brand reputation, and trust is enough to keep all business, IT, and Security leaders awake at night,” said Sanjay Poonen, CEO and president of Cohesity. “To rapidly respond to cyberattacks, organisations need modern AI-powered data security and management solutions that protect their data, detect when it is under attack, and recover it as fast as possible to restore their business processes.”

Regulation Isn’t Driving Companies’ Cyber Resilience & Data Security Best Practices

Despite consistent efforts from governments and public institutions to encourage cybersecurity and data management best practices, only 46% of respondents said their initiatives, legislation, and regulations are driving their companies’ data security, data management, or data recovery initiatives. Amongst the respondents that said government initiatives, legislation, and regulations are driving their data security, management, and recovery approaches, 2 in 3 specifically named these as the most influential:

United Kingdom:

  1. National Data Strategy (NDS)
  2. Consumer Data Right (CDR)
  3. Data Protection Act 2018
  4. UK Cloud Security Principles

About the survey:
The findings are based on a survey of 902 IT and Security decision-makers (split as close to 50:50 as possible) commissioned by Cohesity and conducted by Censuswide. Survey respondents were polled from businesses in Australia, the United Kingdom, and the United States. The top five industries selected by respondents as best representing their industry their company operates in were: IT & Telecommunications, Finance, Healthcare, Finance, HR, and Manufacturing & Utilities.



Source link