Survey shows discrepancies as C-suites are confident in their cyber defences, but 22% don’t have incidence response plans in place
Adarma has released research findings from a nationwide ransomware study of 500 C-level executives at UK businesses with over 2,000 employees, aiming to investigate how organisations perceive today’s threats and how prepared they are to respond. The survey discovered a major disconnect in the way organisations think and act in the face of ransomware.
The research found that 58% of respondents have experienced a ransomware attack. Considering these attacks, it is not surprising that 94% of respondents were either concerned or very concerned about being hit by ransomware. However, the results exposed a huge discrepancy as 95% of business leaders were still confident in their ability to respond effectively to a ransomware attack, despite 22% not having an incident response plan in place.
Of those who reportedly suffered a ransomware attack, over two-thirds (67%) confirmed they had paid the ransom. This figure shot up to a staggering 100% among businesses with less than £1M turnover. This might also go some way to explain the increasing rise in cyber insurance rates. According to Aon’s Cyber Insurance Snapshot report, “throughout 2020, insurers reached, and in many instances surpassed, a tipping point as loss frequency and severity outpaced improved risk selection and limited rate increases.” The key driver of this being “ransomware across all revenue segments, but primarily in the middle market segment.”
Beyond this, is the payment of a ransom demand lawful? Barrister at The 36 Group, Flavia Kenyon, would argue possibly not. “The current legal position is that making a ransom payment per se is not unlawful. What is unlawful is making that payment to terrorist organisations or prescribed groups in breach of international sanctions. As a lawyer, I find this position very troubling. For example, as opposed to the digital world of cryptocurrencies, paying an organised criminal group is a money laundering offence under the Proceeds of Crime Act 2002. But, for policy considerations, there is a reluctance to extend legislation to cyberspace. We need to work together to remove the stigma and secrecy attached to organisations that find themselves in this terrible predicament and have to pay the ransom behind closed doors.” Flavia’s advice to businesses, “until and unless the law becomes clear and less fragmented – have a good risk-based sanctions compliance programme in place, and do not pay the ransom.”
48% of respondents admitted that they would blame the IT Security team if they suffered a ransomware attack, while 33% felt that the company’s CEO or board should be held accountable. Surprisingly, 19% of business leaders believe the individual duped into clicking on a phishing email should be held responsible for a ransomware attack.
When asked whether their organisation had a cyber incident response plan that covers a ransomware attack, 22% of respondents admitted that they were yet to put one in place. In addition, we enquired of the 78% of organisations that did have a plan in place if it involves third parties or departments outside of the IT and Security Operations teams, and for almost a fifth (19%) of these organisations, it does not.
“Ransomware is at epidemic levels and there is a disconnect between organisations’ confidence in their levels of preparedness in the face of an attack and what we are seeing on the ground. With almost 60% of UK businesses with more than 2,000 employees having experienced a ransomware attack, it is critical that we elevate this risk within our own organisations,” said John Maynard, chief executive officer at Adarma. “There are a number of steps that organisations can take to reduce their risk of business impact from ransomware attacks from preventive measures and effective preparation through to detection, disruption, eradication, containment and response. It is critical that we reduce the attack surface, harden our systems, deploy preventive and detective controls, and implement a well thought out incident response plan that extends beyond just the technical requirements. Organisations should be regularly simulating an attack to test the effectiveness of their organisational defences and response plans and adapting and improving before being faced with the real thing.”