How often do organizations pay attackers after ransom attacks?
- Published: Thursday, 30 June 2016 08:21
In a new Radware survey 84 percent of US and UK information technology executives at companies that had not faced ransom attacks said they would never pay a ransom; however, 43 percent of respondents from companies that had been attacked said that ransoms had been paid. This is one of the findings from Radware’s 2016 Executive Application & Network Security Survey. Radware polled more than 200 IT executives across the US and UK for the study.
The study found that US companies were far more willing to admit that they would pay a ransom. Among US firms who had not been attacked, 23 percent indicated they were prepared to pay a ransom, in contrast to the 9 percent in the UK.
Companies that paid ransoms reported an average of $7,500 in the US and £22,000 in the UK.
“This is a harbinger of the challenging decisions IT executives will face in the security arena,” said Carl Herberger, Radware’s Vice President of Security Solutions. “It’s easy to say you won’t pay a ransom until your system is actually locked down and inaccessible. Organizations that take proactive security measures, however, reduce the chance that they’ll have to make that choice.”
In addition to the responses to ransom attacks, the survey also found that companies see work-from-home arrangements as an increasing risk. The survey found a big jump in changes to telecommuting policies, with 41 percent of respondents saying they have tightened work-from-home security policies in the last two years.
Other key findings include:
Wearables require more than a dress code: While about one in three companies implemented security policies around wearables in the last two years, 41 percent said they still have no rules in place, leaving a growing number of end points potentially vulnerable. Perhaps this is because wearables aren’t seen as a major target—only 18 percent pointed to wearables when asked what hackers would most likely go after in the next three to five years.
New connected devices will be the next security frontier: While wearables were less of a concern, many executives surveyed think the Internet of Things (IoT) could become a bona fide security problem. Some 29 percent said IoT devices were extremely likely to be top avenues for attacks, similar to the percentage of nods received for network infrastructure, which received 31 percent.
Cleaning up after a cyberattack can be expensive: More than a third of respondents in the US said an attack had cost them more than $1 million, and 5 percent said they spent more than $10 million. Costs in the UK were generally lower, with 63 percent saying an attack had cost less than £351,245 or about $500,000, though 6 percent claimed costs above £7 million.
Security risk is business risk: Whether motivated by ransomware or another factor, attacks impose significant reputational and operational costs on victims. When executives named the top two risks they face from cyber attacks, brand reputation loss led the pack, with 34 percent of respondents choosing that as a big fear. Operational loss (31 percent), revenue loss (30 percent), productivity loss (24 percent), and share price value (18 percent) were also included in the top concerns.
The research was conducted by Merrill Research on behalf of Radware.