Only 20% of companies feel confident in their ability to respond to a ransomware attack, according to the latest data breach preparedness study conducted by the Ponemon Institute and sponsored by Experian.
In most incidents, attackers don’t ask for a huge sum … the smaller the dollar amount, the more likely it is victims will pay. According to the survey, the average ransom in 2019 was $6,128 — and 68% of targets paid it.
When the requested ransom is small, some cyber security experts recommend simply paying it off for the sake of regaining control as quickly as possible. The financial loss often doesn’t outweigh the long-term impact of business interruption and the reputational damage that stems from not resolving a situation quickly.
“Companies are waking up to reality that ransomware attacks can be very serious and costly. Even when cyber criminals demand a paltry sum, the attack can end up costing hundreds of thousands or even millions due to business interruption and reputational impact,” said Larry Ponemon, chairman and founder of the Ponemon Institute.
Other survey data suggests that most companies submit to the attackers’ demands primarily because they are unsure of other options and unprepared to launch any other response.
Of 1,106 professionals surveyed, 63% said their organization had prepared for ransomware attacks by auditing and increasing back up of data and systems — up 8% from 2017. Forty-nine percent said they had worked a planned system outage into the business continuity plan in the event of ransomware incident — an increase of 7% from 2017.
Only 12%, however, had defined the circumstances under which they would pay a ransom to resolve the incident — a percentage unchanged from 2017.
This suggests that companies have taken steps in the backend to protect systems and data that come under siege, but still stumble over the immediate, front-facing response. This extends to management of reputational impact as well.
Only 23% of respondents were confident in their ability to minimize both the financial and reputational impact of a data breach, and only 38% believed themselves effective at preventing the loss of customers’ and business partners’ trust and confidence.
Larry Ponemon, chairman and founder, Ponemon Institute
“However, we have seen that a swift response telling impacted parties what happened, why it happened, and how to protect themselves is the key to repairing the company’s reputation,” said Mike Bruemmer, VP of data breach resolution, Experian.
“According to a consumer survey we conducted in 2019, we found that 60% of respondents would forgive a company if the breached business has an effective consumer response and communicates quickly and concisely about what happened.
“So the ability to regain consumers’ trust again is possible. It takes a timely response as well as offering resources to affected consumers,” he said.
Increasing Vulnerability to Phishing Attacks
If preparedness for ransomware attacks is middling at best, the scenario is even worse for phishing attacks.
The percentage of respondents expressing confidence in their ability to recognize and respond to phishing attacks has actually declined over the past three years from 31% in 2017 to 23% in 2019.
Only half of respondents said employees were trained to identify the tell-tale signs of a phishing attempt.
According to the FBI’s 2019 Internet Crime Report, the Bureau’s Internet Crime Complaint Center fielded more reports of phishing attacks than any other type of cyber incident, which collectively caused nearly $58 million in losses. Digital thieves are clearly exploiting companies’ apparent inattention to this type of cyber crime.
“In general, the way I put it is that companies need to be right 100% of the time while criminals need to be right only once. Those odds are in the criminals favor,” Bruemmer said. “Phishing is one of the easiest for criminals to execute and they have a lot of targets in employees.”
Said Ponemon, “There’s less institutional knowledge about how to handle these issues. And adversaries are getting much smarter in their attacks. The skills needed to identify and contain an attack are different and more difficult when dealing with ransomware and phishing.”
Bruemmer said the threat is growing with the advent of “smishing” — phishing attacks conducted over SMS text.
“Companies should be on alert that employees’ company mobile devices can also be a breach surface,” he said.
Preparedness for Privacy-Related Risks Looks Promising
Despite lack of preparedness for newer types of cyber attack, companies have gotten better and girding against and responding to breaches of confidential data.
Mike Bruemmer, vice president of data breach resolution, Experian
Respondents felt more confident handling matters like notification to regulators and customers, forensic investigation, and provision of services like credit monitoring and identity theft protection.
More companies say they are strengthening the security of their IT systems, practicing response plans with table-top exercises and drills, training employees more thoroughly on cyber exposures, and regularly reviewing who has access to their systems and through what points of entry.
This is likely because this exposure is older — privacy-related risks are what cyber insurance policies were originally created to cover.
Companies have a greater wealth of experience and loss history to learn from. Risk mitigation and incident response have improved as privacy risks became better understood.
Trends to Watch
This suggests that preparedness for newer methods of cyber crime could follow the same curve.
As time goes on, a greater volume of incidents may help to flesh out the most effective defense strategies.
Continued evolution of the cyber insurance market will also help.
Despite increasing awareness of the frequency and severity of data breaches, only 49% of survey respondents carried a cyber policy.
As brokers and carriers grow more adept at pitching the value of cyber insurance — and as policies expand to affirmatively cover things like ransomware and phishing which may otherwise fall under K&R and crime policies — it’s likely that more companies will purchase coverage. &
Katie Dwyer is a freelance editor and writer based out of Philadelphia. She can be reached at [email protected]