Organisations are making costly decisions when it comes to ransomware, recent research by NTT Security reveals.
The company’s 2018 Global:Risk report, which interviewed over interviewed 1,800 business decision makers from non-IT functions in 12 countries in Europe, the US and APAC found that a third of global organisations preferred to pay later than invest in protection now. While this figure dropped to 20% in the UK, a further 30% admitted they are not sure whether they would pay or not, suggesting only about half are prepared to invest in security to proactively protect their business.
“Some might call it naivety”, suggests Kai Grunwitz, senior vice-president for Europe at NTT Security. “Many are still prepared to take a short-term, reactive approach to security to drive down costs”
Such short-termism may appear surprising, given that ransomware has hardly snuck up on the cyber-horizon. According to Verizon’s 2018 Data Breach Investigations Report ransom attacks were the most prevalent variety of malware in 2017 and since then NTT have announced a 350% global spike in the number of incidents.
“Ransomware is the nuts and bolts of cybercrime”, the CISO of a multi-national insurance firm insists. “It’s scary….and it usually works.” He claims ransomware boasts a 71% infection success rate: a strike record supported by an F-Secure survey which found that attackers are moving to more targeted methods, allowing criminals to focus “on the quality rather than quantity of targets in the hopes of getting a better payday.”
As the criminals get more focused, the companies seem to be losing grip: both on their security controls, and their cash. While ransomware is the type of cyberattack that most worries healthcare IT professionals, according to an Imperva survey, half of respondents didn’t know if they have paid a ransom or not.
“(This) is big, big, business”, warns the insurance CISO. “(and) there is too much money at stake for it to go away anytime soon (…but) “you cannot trust the criminals…if you pay the ransom, you become a bigger target, your next ransom will be higher…”
And paying up doesn’t always pay off. A recent survey by CyberEdge Group of 1,200 IT security decision makers found that close to 20% of ransomware victims paid the ransom but still didn’t get their data back. More than one-quarter of cyber insurance claims received by insurance giant AIG last year were the result of ransomware attacks. And with many players demanding payment in cryptocurrency, companies that do decide to pay could render themselves vulnerable to wild swings in asset value.
This is, according to AIG, is “just the tip of the iceberg”. Ransomware will become even more of a challenge in the future. And the recovery costs are rocketing, with figures predicted to surge from $5 billion in 2017 to $11 billion in 2019. Those that feed the hand that bites them, may soon find the hit too high to pay.