Despite many organisations putting forward a defensive stance that they will never pay out a ransomware attack, research from Cohesity, the AI-powered data and security firm, has revealed that over 97 per cent of UK firms have paid a ransom in the last two years.
The research is especially concerning given that many experts expect cyberattacks to increase in 2024. Cohesity polled over 900 IT and Security decision-makers, 301 from the UK, and found that companies operate in a ‘when’, not ‘if’, the reality of cyberattacks.
Alarmingly, eight in 10 (83 per cent) respondents said their company had been the ‘victim of a ransomware attack’ between June and December. The cyber threat landscape is expected to get even worse in 2024, with 95 per cent of respondents saying the threat of cyberattacks to their industry will increase this year. A further seven in 10 predict it will increase by more than 50 per cent.
Organisations’ attack surfaces are defined by the size and scope of their data environments. However, 74 per cent of respondents said their data security risk has now increased faster than the growth in the data they manage. Respondents also believe organisations’ cyber resilience and data security strategies are not keeping up with the current threat landscape. Only 25 per cent have full confidence in their company’s cyber resilience strategy and its ability to ‘address today’s escalating cyber challenges and threats’.
Slow data recovery
Cyber resilience is a technology backbone for business continuity. It defines companies’ ability to recover their data and restore business processes when they suffer a cyberattack or adverse IT event. However, according to respondents, every company has cyber resilience and business continuity challenges.
- All respondents said they need over 24 hours to recover data and restore business processes
- Just 10 per cent said their company could recover data and restore business processes within one to three days
- Thirty-eight per cent said they could recover in four to six days, and 34 per cent need one to two weeks to recover
- Alarmingly, almost one in four (24 per cent) need over three weeks to recover data and restore business processes
Further demonstrating cyber resilience gaps, just 12 per cent said their company had stress-tested their data security, data management, and data recovery processes or solutions in the six months before being surveyed. Additionally, 46 per cent had not tested their processes or solutions in over 12 months.
A lack of cyber resilience results in ransom payments
A huge 97 per cent of respondents said their company would pay a ransom to recover data and restore business processes, while five per cent said ‘maybe, depending on the ransom amount.’ Almost three quarters (73 per cent) said their company would be willing to pay over £2.4million to recover data and restore business processes. A further 39 per cent of respondents said their company would be willing to pay over £4million.
The research also showed the importance of being able to respond and recover. Nine in 10 (97 per cent) said their organisation had paid a ransom in the prior two years. This was despite 94 per cent saying their company had a ‘do not pay’ policy.
“The figures in the survey show huge deficiencies in an organisation’s ability to achieve the required recovery times to avoid significant disruption”, said James Blake, global head of cyber resiliency GTM Strategy, Cohesity. “Many organisations also said they would pay a ransom to reduce disruption. Paying the ransom almost certainly results in a loss of some of the data.
“Not to mention we’ve seen the UK sanction ransomware operators, the last thing senior management need after dealing with a ransomware attack is the prospect of a huge fine or custodial sentence for breaching sanctions.”
Executive management should be accountable for data security risks and attacks
Respondents identified executive awareness and responsibility for data security as two areas for companies to improve, with just 31 per cent saying their senior and executive management fully understands the ‘serious risks and daily challenges of protecting, securing, managing, backing up, and recovering data.’
Four in five said executive management (C-Level) and boards should share the responsibility for their company’s data security strategy, while 64 per cent said their company’s CIO and CISO, in particular, could be better aligned.
Prioritising their biggest concerns about a successful data breach or cyberattack, respondents selected brand and reputational damage (33 per cent), long-term operational outcomes and projects (31 per cent), a direct hit to revenue (31 per cent), and a loss of stakeholder trust (30 per cent).
When asked who is most impacted by a data breach or cyberattack, respondents said existing customers (31 per cent), the Security team (28 per cent), the IT team (28 per cent), employees (28 per cent), and their third-party partners (28 per cent) were most impacted.
“Cyber resilience and data security should be a holistic organisational priority because the use of data and technology occurs in every function by every employee. The severe impact of a successful cyberattack or data breach on business continuity, revenue, brand reputation, and trust is enough to keep all business, IT, and Security leaders awake at night,” said Sanjay Poonen, CEO and president of Cohesity.
“To rapidly respond to cyberattacks, organisations need modern AI-powered data security and management solutions that protect their data, detect when it is under attack, and recover it as fast as possible to restore their business processes.”
Regulation isn’t driving companies’ cyber resilience and data security best practices
Despite consistent efforts from governments and public institutions to encourage cybersecurity and data management best practices, only 46 per cent of respondents said their initiatives, legislation, and regulations are driving their companies’ data security, data management, or data recovery initiatives.
Amongst the respondents who said government initiatives, legislation, and regulations are driving their data security, management, and recovery approaches, two in three specifically named these as the most influential:
- National Data Strategy (NDS)
- Consumer Data Right (CDR)
- Data Protection Act 2018
- UK Cloud Security Principles