Overestimating cyber resilience leads to business continuity issues, ransom payments

New research commissioned by AI data security firm Cohesity reveals that organizations are overestimating their cyber resilience capabilities and maturity, leading to significant business continuity disruptions and ransom payments.

The Cohesity Global Cyber ​​​​Resilience Report 2024, which surveyed more than 3,100 IT and security decision makers in eight countries, confirms that the threat of cyber attacks – especially ransomware – continues to grow, with the majority of respondents having been victims of a ransomware attack recently . six months and most have paid a ransom in the past year.

Most respondents said the threat of cyberattacks to their organization’s operating industry has increased or will increase in 2024 compared to 2023.

According to respondents, companies’ cyber resilience strategies are holding up to the worsening cyber threat landscape, with nearly 4 in 5 (78%) saying they have confidence in their company’s cyber resilience strategy and its ability to “address growing cyber challenges and threats. “

At the same time, 67% of respondents revealed that they were “the victim of a ransomware attack” in 2024, with 96% indicating that the threat of cyberattacks to their industry will increase or have increased this year, with nearly 3 in 5 ( 59 percent) saying it had or will grow by more than 50 percent by 2023.

Organizations pay ransoms and violate Do Not Pay policies.

While most respondents said they were “mostly confident” or had “full confidence” in their organization’s cyber resilience strategy, only 6 percent said their company would not pay a ransom to recover data and restore business processes. business or will do it faster, with 83 percent reporting that they would.

Globally, 75% of respondents said their company would be willing to pay over $1 million in ransoms to recover data and restore business processes, and 22% said their company would be willing to pay over 5 million dollars.

Nearly 7 in 10 (69%) respondents said their organization had paid a ransom in the past year before they were surveyed, despite 77% reporting their company had a “do not pay” policy. The more than 2,100 respondents who paid a ransom said they paid ransoms in the past year, totaling:

• 37% paid ransoms between $1 and $249,999
• 23% paid ransoms between $250,000 and $499,999
• 23% paid ransoms between $500,000 and $999,999
• 12% paid ransoms between $1,000,000 and $2,999,999
• 6% paid ransoms between $3,000,000 and $9,999,999
• 0.33% (7 respondents) paid ransoms between $10,000,000 and $25,000,000

“The reality for organizations is that destructive cyber attacks such as ransomware are a When not if reality that threatens their business continuity. However, organizations can address this reality head on by improving their cyber resilience – the ability to quickly respond and recover from cyber attacks or traditional business continuity scenarios – by adopting modern security, response and data recovery,” said Brian Spanswick, CISO. and IOC, Cohesion. “Organizations may have the highest confidence in their cyber resilience, both in their strategy and capabilities, but the reality is that most are paying ransoms or would pay a ransom, so organizations are overconfident or overestimating their cyber resilience. “

Companies’ reliance on cyber resilience doesn’t match the realities of recovery and restoration

Based on survey responses, cyber resilience remains a challenge that threatens business continuity.

Only 2% of respondents said they could recover data and restore business processes within 24 hours, while 18% said their company could recover data and restore business processes within 1-3 days.

Another 32% said they could recover and restore in 4 to 6 days, 31% would need 1-2 weeks, and nearly 16% needed three weeks to recover data and restore business processes.

When asked what their organization’s “targeted optimal recovery objectives (RTOs) are to minimize business impact in the event of a cyber attack or compromise incident,” 98% of respondents said their target was within of a day, despite the fact that only 2% reported that they could recover data and restore business processes in the same period. Nearly 1 in 2 (45 percent) said the optimal targeted RTO was within two hours.

Only 2% of respondents said their organizations’ tolerance for business continuity disruption and downtime due to a cyber attack or data breach was within 24 hours.

Almost 31% of respondents said their business tolerance for downtime was between 1-3 days, 53% said up to 4-6 days and 12% said more than a week.

Nearly half said they tested their “data security, data management and data recovery processes or solutions” by simulating a response to a cyber event or data breach in the past six months.

Zero Trust Data security and privacy remain a challenge despite improved regulations and legislation

More than half (54 percent) of respondents said their “centralized visibility” of critical data between IT and security could be improved to detect anomalies and determine sensitive data exposure or breaches.

When asked about their data access control measures to align with zero trust security principles, just over half of companies have implemented multi-factor authentication and less than half have implemented features that require multiple prior approvals of data changes or role-based access controls:

• Multi-factor authentication (MFA): 52 percent
• Quorum controls or administrative rules that require multiple approvals: 49 percent
• Role-based access control (RBAC): 46 percent

“The most vital element of cyber resilience is the ability to recover business-critical data that restores key business processes. But you can’t restore critical data if you don’t first protect it from external or internal threats. This starts with implementing effective data access controls such as multi-factor authentication (MFA) and role-based access controls (RBAC),” said Spanswick. “The fact that nearly 1 in 2 organizations do not implement these controls to protect sensitive data is alarming and demonstrates a significant risk to an organization’s cyber resilience. Especially considering that regular consumers and end users are often – and rightfully so – required to have MFA enabled to secure their account credentials, MFA is also an important defense against attack techniques based on artificial intelligence.”

Despite governments and public institutions making great efforts to encourage stronger cybersecurity, data protection and data privacy measures, only 42% of respondents said they have all the IT and security technology capabilities to identify sensitive data and to comply with applicable data privacy laws and regulations. . However, the survey found that 79% of respondents said that too
“advanced threat detection, data isolation and data classification were vital” to qualifying their organization for cyber insurance or obtaining discounts on their cyber insurance policies.

When asked “Which industries and/or sectors, if any, do you think are most affected by cyber attacks?” respondents selected them as the “Top 7” most affected industries or sectors:

Globally:

1. IT and technology – 40 percent
2. Banking & Wealth Management – ​​​​27 percent
3. Financial services (including insurance companies) – 27 percent
4. Telecommunications and media (including streaming services) – 24 percent
5. Government and public services – 23 percent
6. Utilities (including water, electricity, gas and other energy service companies) – 21 percent
7. Production – 21 percent

AI has a plus and a minus in managing growing cyber threats

According to respondents, organizations now have to deal with AI-based cyberattacks or cyberthreats, with 4 in 5 (80%) respondents saying they have responded to what they believe to be AI-based attacks or threats in the past 12 months.

Of those respondents who supported an AI-based cyberattack, 82% said they have “the necessary AI-based solutions to counter and respond to these attacks.”

Of the 18 percent who said they had not responded to cyber attacks or AI-based cyber threats in the past year, less than half (49 percent) said they had “the necessary AI-based solutions to counter and to respond to these attacks”. over a third (36 percent) said no, and nearly 1 in 7 (15 percent) said they were not sure.

“Cyber ​​resilience is critical because the incentives and motivation for attackers are so high, with incredibly vast attack surfaces, that relying on protective controls is unrealistic,” Spanswick said. “Successful cyber attacks and data breaches severely disrupt business continuity, impacting revenue, reputation and customer trust. This risk needs to be at the top of business leaders’ priorities, not just IT and Security leaders. Similarly, regulations and legislation should not be seen by companies as a ‘ceiling’ but a ‘floor’ in both developing cyber resilience and adopting security or data recovery capabilities.”

TThe findings are based on a survey of 3,139 IT and security decision makers (as close to a 50:50 split as possible) commissioned by Cohesity and conducted by Censuswide from 6/27/2024 to 7/18/2024. The top five industries that respondents selected as best representing their company’s operations were IT and telecommunications, manufacturing, financial services (including insurance), banking and wealth management, and hospitals and healthcare.

TOPICS
Cyber