This is the second study Ponemon Institute has conducted on the devastating impact ransomware attacks have on small to large-sized enterprises. The first study was completed in 2017, and as revealed in this research, little progress has been made in mitigating the consequences of these threats. In this year’s research, the percentage of companies experiencing an attack increased from 51 percent in the 2017 study to 80 percent. Yet, 57 percent of respondents believe their companies are too small to be the target of ransomware. This has remained unchanged since 2017.
Ponemon Institute surveyed 659 IT and IT security professionals in small to large-sized companies in the United States. All respondents have responsibility for containing ransomware infections within their organization. This study was sponsored by CBI and Check Point and conducted independently by Ponemon Institute.
The cost per incident will continue to increase, and the types of attacks will continue to evolve. What’s most striking is the vast majority of organizations are not doing enough to evaluate the security of their third parties. These findings should be a wakeup call and motivate organizations to evolve their ransomware mitigation playbooks
The following findings describe the costs and consequences of a ransomware attack.
- Of the 80 percent of companies that experienced one or more ransomware attacks, 53 percent of respondents say the ransom was paid and averaged over $1 million. The preferred methods of payment are bitcoin and virtual currencies.
- If companies didn’t pay a ransom, it was because they had a full and accurate backup. However, respondents also believe a full and accurate backup is not enough when experiencing a ransomware attack.
- Of the companies that paid the ransom, it was because they could not afford the downtime and had a cyber insurance policy that covered the financial consequences of a ransomware attack. Fifty percent of respondents say the cybercriminals provided a decryption key.
- Companies suffered financial consequences such as having to shut down for a period of time, losing customers, and eliminating jobs.
- According to the research, an average of 14 staff members each spent 190 hours to contain and remediate their companies’ largest ransomware incident. Based on an average hourly rate of $63.50, the average cost to assign staff to deal with the incident was approximately $170,000.
- The highest total costs resulting from a ransomware attack are from legal and regulatory actions, followed by the cost resulting from the company’s response to information misuse or theft.
- Cybercriminals were most likely to use phishing/social engineering and insecure websites to unleash ransomware. The most compromised devices are desktops and laptops; however, since 2017, mobile devices have been increasingly being targeted.
- Compromised devices infected other devices in the network. Very often, data was exfiltrated from the device.
- As in the previous study, companies are reluctant to report the incident to law enforcement because of concerns about negative publicity and the potential loss of customers.
Following are the key takeaways from this research.
IoT risk awareness is rising and ransomware prevention is increasingly prioritized. Since 2017, awareness of IoT risks has risen from 58 percent of respondents in 2017 to 67 percent of respondents in this year’s research. Prevention of ransomware is becoming more of a priority, increasing 46 percent to 53 percent. Respondents say that if companies are attacked their organizations are slightly less likely to pay the ransom since 2017.
There is a lack of confidence in security controls. Companies spend an average of $6 million annually on staff and technologies meant to prevent, detect, contain and resolve ransomware attacks. However, there is only a slight improvement in confidence about security controls that prevent ransomware attacks.
Companies are increasingly relying upon third parties to deal with the prevention and consequences of a ransomware attack. Since 2017, the engagement of third parties to reduce the risk increased significantly from 58 percent of respondents to 69 percent of respondents. To remediate the incident, the use of the expertise of third parties has increased from 59 percent of respondents to 70 percent of respondents.
Despite the seriousness of ransomware, the ability to respond is low. As reported, the increase in ransomware attacks has been significant since 2017. However, the ability to respond to such attacks is very low. Companies must assess their staff, technologies, and policies to increase overall readiness.
The severity of ransomware infections has increased over the past 12 months. Sixty-one percent of respondents say the severity of ransomware infections has significantly increased (25 percent) or increased (36 percent) since last year. In 2017, 57 percent of respondents said the severity of ransomware infections increased significantly (18 percent) or increased (39 percent) over the past 12 months.
Companies have been receiving more ransomware alerts since 2017. As defined in this research, a ransomware alert is a notice that your system may be targeted or susceptible to a ransomware attack. These alerts are communicated via threat intelligence and law enforcement.
The number of weekly alerts has increased from 25 weekly alerts in 2017 to 34 in this year’s study. In 2017, 46 percent of these alerts were considered reliable. In this year, 51 percent are considered reliable. In a typical month, an average of 6 percent of attempted attacks trigger an alert through one or more security controls but remain undetected.
A full and accurate backup is not considered enough by 55 percent of respondents. As discussed previously, only 32 percent of respondents are confident in their security controls, indicating the need to use more effective technologies to prevent ransomware attacks.
More companies need to conduct security assessments as part of their ransomware readiness strategy. Only about half (51 percent) of respondents say their organizations regularly conduct assessments to test their ransomware prevention and recovery practices.
In some cases, cyber insurance providers are decreasing their coverage for ransomware attacks. Most companies (64 percent of respondents) do not have cyber insurance policies that cover ransomware. Of the 36 percent of respondents who say their policies cover such attacks, 40 percent say the cyber insurance provider modified its ransomware protection resulting in decreased coverage. The average annual premium for a cyber insurance policy is $17,100.
Employees are still considered the weakest link in preventing ransomware attacks. Despite employee security training awareness programs that address social engineering, spear phishing and ransomware attacks, only 30 percent of respondents are very confident (12 percent) or confident (18 percent) in their employees’ ability to detect social engineering lures that could result in a ransomware attack.
Despite the risk, only half of training programs fully cover social engineering, spear phishing and ransomware. Sixty-one percent of respondents say their companies conduct continuous employee security awareness training. Of these respondents, 92 percent say the training covers social engineering, spear phishing and ransomware attacks fully (50 percent of respondents) or some coverage (42 percent of respondents).
In addition to insider risks, companies face ransomware threats from their suppliers and third parties. Seventy-five percent of respondents say they are very concerned about the risks the supply chain poses to their company as they relate to ransomware. Only 33 percent of respondents say third parties have the necessary privacy and security practices in place to reduce the risk of a data breach involving their companies’ sensitive and confidential information.
To reduce the risk of ransomware attacks, companies need to assess the security and privacy practices of their supply chain and third parties. As discussed, 75 percent of respondents are concerned about the ransomware risks posed by third parties. However, only 36 percent of respondents say their organizations evaluate third parties’ security and privacy practices. Only slightly more than half (53 percent) of respondents say their organizations conduct an assessment of the third party’s security and privacy practices. Currently, organizations mainly rely upon a review of written policies and procedures, according to 64 percent of respondents.