Majority of organisations pay ransom money to cybercriminals to get their data and systems back

• In 2021, 71 per cent of organisations surveyed by CyberEdge Group suffered a successful cyberattack
• Many enterprises say it’s cheaper to pay blackmailers and keep the show on the road rather than spend big on countermeasures
• This despite attackers coming back again and again to drink from the same well
• Cyber-security: always a priority, but too often for “next year”

A new piece of research shows that, over the course of 2021, 63 per cent of enterprises and organisations subject to a ransomware attack paid the extortioners – even as governments, national authorities and solutions vendors pressured victims to strengthen and update their often outmoded and insufficient cybersecurity provisions. Many of these systems are so far behind the times that they are frequently hit a second or even a third time by the same cybercriminals who, having been paid off and escaping scot-free the first time around, come back to do it all again – and again.

The Cyberthreat Defence Report 2022, from the CyberEdge Group, the Annapolis, Maryland-based research-and-analysis company that specialises in covering and supporting service providers and cybersecurity vendors, shows that, last year, 71 per cent of the organisations (of all types) that it surveyed suffered some form of a successful cyberattack. The incidence has risen by 16 per cent over the last couple of years and ransomware incursions are now a persistent and spreading blight across the global telecoms, service provider and IT community, costing huge sums, in terms of both hard cash paid and other resources dedicated to getting systems and software up and working again.

Steve Piper, the founder and CEO of CyberEdge, comments: “These days, being victimised by ransomware is more of a question of ‘when’ than ‘if’. Deciding whether to pay a ransom is not easy. But if you plan ahead and plan carefully, that decision can be made well in advance of a ransomware attack. At the very least, a decision framework should be in place so precious time isn’t wasted as the ransom payment deadline approaches.”

That sounds self-evident and obvious but far too many enterprises continue to stick their heads in the sand and just hope that they won’t be targeted or won’t suffer too badly if (when) they are in the majority of those that are hit simply pay-up and carry-on. A lot of lip service is paid to doing something about strengthening cyberdefences but intentions to do something to ameliorate the potential of more attacks often fade as things get back to normal and the financial costs are written through and off the balance sheets. It’s the same with those that haven’t been attacked where concentrating on the daily routine of an organisation continues to take precedence over precautionary planning. As the proverb has it: “the road to hell is paved with good intentions”.

The CyberEdge report shows there are three reasons why organisations pay ransoms: the threat that the extortionists will expose and publicise the data they have stolen, the fact that it can be cheaper to pay the blackmailers than spend on providing proper cybersecurity defences, (at best a short-sighted decision given that attacks can be repeated and at worst just straightforward stupidity) and an increasing (put frequently misplaced) belief that it is getting easier to recover stolen data.

Short of skills, long on training time 

The report also states that few organisations have the necessary (or even any) skilled cybersecurity defence experts working for them and that, from management down, there is a distinct, continuing and very limited awareness of cybersecurity as a huge problem that is getting worse and worse. What’s more, as a result of Covid-19, many enterprises are now more or less permanently short-staffed and those cyberspecialists that are still in-post are under extreme pressure that never lets up. As a result, many are resigning, taking their experience with them when they go, while recruiting and training new staff is a slow and expensive process. It takes months to train people in cybersecurity protocols and defence strategies and not many people are coming forward to take on the intensity and responsibility of completing the training or later applying it in an organisational environment.

CyberEdge says the actions to take to minimise the possibilities of a debilitating and (literally) extortionate ransomware attack are straightforward enough but require a willingness to accept that cash and resources need to be spent now, while successful prevention of later cyberattacks is difficult to prove. That said, systems should always provide detailed logs of any and all attempted incursions and show the defences that were employed to combat them, how then firewalls stood up to the attacks and have the ability to produce advanced security analytics.

Just last month in the UK, the Department for Digital Culture, Media and Sport (DCMS) revealed that at least 50 per cent of UK organisations are suffering from a shortfall in cyber-skilled staff. It’s much the same throughout Europe and North America, and it’s a problem that’s going to take significant time to solve.