By Mark Guntrip, Senior Director of Cybersecurity Strategy at Menlo Security
Ransomware attacks show no sign of slowing down, according to Menlo Security’s research report conducted earlier this year.
Findings from the ‘2022 Impacts: Ransomware attacks and preparedness’ study, which surveyed UK and US IT security decision makers about how they are dealing with ransomware threats, show that one third of organisations now experience a ransomware attack at least once a week. One in 10 experience them more than once a day.
Attackers are developing more advanced techniques to increase the likelihood of successfully demanding a ransom payment from companies. There’s been a rise in a class of cyber-attacks known as Highly Evasive Adaptive Threats (HEAT). These are designed to bypass detection from traditional security tools, such as Secure Web Gateways, sandbox analysis and phishing detection solutions.
With the ransomware crisis getting worse and new entry points for potential attacks opening up, the question is whether businesses fully understand the risks and whether they are suitably equipped to mitigate the damage and consequences of an attack.
Lack of consensus on how to respond to ransomware attacks
The transition to hybrid and remote working has expanded attack surfaces and exposed many new vulnerabilities, yet security has largely failed to adapt and properly serve these new operating environments.
Many organisations continue to rely on outdated technologies to mitigate HEAT attacks. From antivirus software to firewalls, many of the solutions deployed for on-prem environments more than a decade ago are simply not fit for purpose in dealing with modern cloud-based threats and defending against browser-led attacks.
Less than half (45%) of respondents to our own survey say they implement a data backup or recovery plan as the first step in the event of an attack. While just 39% first establish the impact and damage of the attack. Over a third (37%) say they inform all of their employees about an attack, while a third inform their customers as the first step. Just over a quarter of security decision makers contact their CEO or the Board of Directors in the first instance.
More concerning perhaps is that one in 10 respondents admit they don’t know what step one is in the event of an attack.
Asked to rate their confidence in the security solutions commonly deployed to protect data against ransomware attacks, doubts remain among professionals about their ability to mitigate these attacks. While organisations appear to be adopting a multi-layered approach to security, with several options being deployed, no single solution garnered the confidence of more than three-quarters of respondents.
There is greater confidence it seems in legacy methods, such as firewalls (74%) and network perimeter strength (66%) than more modern approaches, such as endpoint protection and remote worker protection, which are more effective in protecting against today’s threats, as well as mobile device protection.
The issue here is that mobile devices have joined email and desktop/laptop web browsers as one of the leading ransomware attack vectors facing organisations today. So, if mobile devices are not being managed by organisations, they urgently need to consider unmanaged devices as part of their security strategy to mitigate against these threats.
Weak links in the cybersecurity chain also remain a concern. When asked what keeps them awake at night, 41% of security professionals admit they worry about ransomware attacks evolving beyond their team’s knowledge and skillset. A similar number worry about threats evolving beyond the company’s security capabilities.
The biggest concern, however, is a familiar one. The risk of employees ignoring corporate security advice and clicking on links and attachments that contain malware or malicious links. Security professionals worry about this more than they do their own job security – with just a quarter worried about losing their job.
Ransom demands – to pay or not to pay?
Of course, there’s the debate about how best to deal with ransomware demands should the worst-case scenario happen. To pay or not to pay?
One in three of our security professionals worry about paying a ransom demand and not getting their data back. Despite this, we were surprised to see that 65% of them would still pay.
Some point towards others to take responsibility for this; around a third (31%) say it’s down to their insurance company to pay it, and nearly one in five say the government should pay. More than a quarter (27%) of respondents say they would never pay a ransomware demand.
The challenges the industry currently faces when it comes to protecting organisations and workers against ransomware – from ransom demands increasing to a feeling that government authorities are not treating ransomware seriously enough – are there to see.
But such concerns are not conducive for an effective security environment. Current approaches need to change, shifting towards empowering senior security professionals with the tools, technologies and solutions needed to reduce operational burdens and provide greater peace of mind, freeing up security leaders to focus on delivering high-value tasks effectively.
