New research commissioned by AI-focused data security firm Cohesity reveals that 97% of UK companies have paid a ransom in the past two years, contradicting their ‘do not pay’ policies. The study, involving over 900 IT and Security decision-makers, suggests the risk of cyberattacks is set to significantly rise in 2024.
It further highlights that businesses’ cyber resilience strategies are lagging, with slow data recovery times posing a major challenge and leading to more ransom payments. The findings underscore the need for executive management to take responsibility for data security risks and attacks.
- 97% of UK companies surveyed have paid a ransom in the last two years, with the majority expecting an increase in cyberattacks in 2024.
- 74% of respondents said their data security risk has increased faster than the growth in the data they manage.
- Only 25% of companies have full confidence in their cyber resilience strategy, and just 12% have stress-tested their data security processes in the past six months.
Rising Temptation to Pay Ransoms Despite Policies
The majority of companies are caving into cyberattacks and paying ransoms, despite having policies against such action in place. This unsettling trend comes from a recent study involving over 900 IT and Security decision-makers, including 301 from the UK. The research indicates that an alarming 97% of UK companies polled have paid a ransom in the past two years. They are operating under the assumption that cyberattacks are a ‘when’, not an ‘if’, scenario.
Ransomware Attacks – An Unavoidable Threat?
Recent data shows that between June and December, eight out of ten companies were victims of a ransomware attack. What’s more concerning is that most of these companies expect the threat of cyberattacks to intensify, with 95% predicting an increase this year and 70% foreseeing the rise to be more than 50%.
Data Security Risk Outpaces Growth
The study revealed that 74% of respondents believe their data security risk is growing faster than the amount of data they manage. This suggests that companies’ cyber resilience strategies are not keeping pace with the evolving threat landscape. Only a quarter of respondents expressed full confidence in their company’s cyber resilience strategy and its ability to tackle the mounting cyber threats.
“The figures in the survey show huge deficiencies in an organisation’s ability to achieve the required recovery times to avoid significant disruption,” said James Blake, Global Head of Cyber Resiliency GTM Strategy, Cohesity.
Disheartening Recovery Rates
The ability to recover data and restore business processes swiftly is integral to business continuity. However, the survey results paint a dismal picture. All respondents admitted that they needed over 24 hours to recover data and restore business processes. Merely 10% could complete the recovery within 1-3 days, and almost a quarter needed more than three weeks.
Management’s Role in Cyber Resilience
The study also highlighted the need for greater executive awareness and responsibility in data security. Only 31% of respondents felt that their senior and executive management fully grasped the seriousness of data security risks. Four out of five respondents believe that the responsibility for their company’s data security strategy should be shared by executive management (C-Level) and boards.
Regulation Impact on Cyber Resilience Practices
Despite governments and public institutions pushing for better cybersecurity and data management practices, the impact seems limited. Only 46% of respondents felt that these initiatives, legislation, and regulations are driving their companies’ data security, data management, or data recovery initiatives.
Final Thoughts
These findings present a stark reality of the current cybersecurity landscape. Companies need to bolster their cyber resilience strategies and recovery capabilities to combat the escalating threat of cyberattacks. The alarming trend of companies paying ransoms, despite ‘do not pay’ policies, reflects a dire need for a more robust defence and recovery system. As cyber threats loom larger and more frequent, companies must step up their game and ensure they’re not just reactive but proactive in their approach to cybersecurity.
FAQ
Q: What percentage of companies have paid a ransom in the last two years?
A: The research reveals that nearly all companies polled, a staggering 97% in the UK, have paid a ransom in the last two years.
Q: How many companies expect the threat of cyberattacks to increase significantly in 2024 compared to 2023?
A: The majority of companies expect the threat of cyberattacks to increase significantly in 2024 compared to 2023, with 95% of respondents saying the threat of cyberattacks to their industry will increase this year.
Q: What percentage of companies have been the victim of a ransomware attack between June and December?
A: Alarmingly, 8 in 10 (83%) respondents said their company had been the ‘victim of a ransomware attack’ between June and December.
Q: How confident are companies in their cyber resilience strategies?
A: Respondents believe organisations’ cyber resilience and data security strategies are not keeping up with the current threat landscape, with just 25% having full confidence in their company’s cyber resilience strategy and its ability to ‘address today’s escalating cyber challenges and threats’.
Q: How long does it typically take for companies to recover data and restore business processes after a cyberattack?
A: All respondents said they need over 24 hours to recover data and restore business processes. Just 10% said their company could recover data and restore business processes within 1-3 days. 38% said they could recover in 4 to 6 days, and 34% need 1-2 weeks to recover. Alarmingly, almost 1 in 4 (24%) need over 3 weeks to recover data and restore business processes.
Q: How many companies have stress tested their data security, data management, and data recovery processes or solutions?
A: Just 12% said their company had stress tested their data security, data management, and data recovery processes or solutions in the six months prior to being surveyed, and 46% had not tested their processes or solutions in over 12 months.
Q: How many companies would be willing to pay a ransom to recover data and restore business processes?
A: A huge 97% of respondents said their company would pay a ransom to recover data and restore business processes, while 5% said ‘maybe, depending on the ransom amount.’
Q: How many respondents said their senior and executive management fully understands the serious risks and daily challenges of protecting, securing, managing, backing up, and recovering data?
A: Just 31% said their senior and executive management fully understands the ‘serious risks and daily challenges of protecting, securing, managing, backing up, and recovering data.’
Q: What are the biggest concerns of respondents regarding a successful data breach or cyberattack?
A: Respondents prioritised their biggest concerns about a successful data breach or cyberattack, which include brand and reputational damage, long-term operational outcomes and projects, a direct hit to revenue, and a loss of stakeholder trust.
Q: How many respondents said that government initiatives, legislation, and regulations are driving their companies’ data security, data management, or data recovery initiatives?
A: Only 46% of respondents said that government initiatives, legislation, and regulations are driving their companies’ data security, data management, or data recovery initiatives.