UK firms are dangerously overconfident about paying ransoms to cyber criminals
Only 4% of organizations that pay up recover all their data, and many take months to recover
Organizations are naïve when it comes to ransomware, new research has warned, with many believing their chances of recovering data are higher than they actually are.
Virtually all UK IT and security decision-makers surveyed by Cohesity were aware that cyber attacks were on the rise, with more than half having fallen victim to a ransomware attack themselves in 2023.
This, the study noted, marked a significant increase compared to the year prior, highlighting the escalating threats faced by enterprises.
Three-quarters said they'd pay a ransom to recover their data after an attack, and six-in-ten said they'd done so in the previous year. Only 7% of UK respondents ruled it out, despite two-in-three having clear rules not to pay.
But while 71% of UK respondents are confident in their company’s cyber resilience strategy and its ability to address security threats, the willingness to pay ransoms highlights a mix of ignorance and overconfidence, according to James Blake, global head of cyber resiliency strategy at Cohesity.
"Once again, we see a gap between expectation and reality in recovering from a cyber attack. We live in a ‘when’ not ‘if’ world, and it appears many IT and security professionals are confident in their ability to recover data only when they pay the ransom," he said.
"Paying a ransom rarely results in the recovery of all data. It brings its own logistical challenges and potential criminal liability for paying sanctioned entities - not to mention rewarding criminals. It’s time to really focus on resiliency and end the cycle."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The costs associated with ransomware attacks can be staggering, research shows.
UK respondents paid an average of £870,000, with two paying between £10 million and £20 million. On a global basis, 5% of companies have paid upwards of £10 million.
According to Chainalysis, ransom payments were estimated to amount to at least $1.1 billion in Bitcoin in 2023.
The UK is actually well below the global average in this regard, however. Just over two-thirds (67%) of respondents fell victim to a ransomware attack in the previous 12 months, with France the most affected at 86% of respondents.
Globally, 83% said they'd pay the ransom – with 97% of French respondents admitting they would pay. It may be telling that there's a clear correlation between firms in countries that would pay a ransom and those reporting the highest incidents of ransomware attacks.
In fact, only 4% of organizations that pay up recover all their data, and many take months to recover. Meanwhile, making payments may be illegal in some cases and often voids insurance policies.
Fewer than 2% of respondents said they were able to recover data and restore business processes within 24 hours and a quarter within one to three days.
Meanwhile, one-in-five needed anything from three weeks to two months - possibly because just 70% of UK organizations surveyed had stress-tested their data security, management, and recovery processes in the previous 12 months.
"Cyber resilience is critical because the incentive and motivation of attackers are so high, with attack surfaces incredibly vast, so a reliance on protective controls is unrealistic," said Blake.
"Destructive cyber attacks severely disrupt an organization’s ability to deliver its products and services, impacting revenue, reputation, their downstream supply-chain and customer trust. This risk must be at the forefront of business leaders’ priorities, not just IT and Security leaders."
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.