Almost half of surveyed Canadian organizations that suffered a recent ransomware attack paid in the hopes of getting get access of their data back, according to a study by one of the country’s biggest telcos. That hope, however, was only realized for just under half of them.
The message, suggests the study by Telus, is that the odds of getting your data back from a ransomware attack are less than 50/50.
It found that 67 per cent of the 463 respondents to the survey said their organization had been hit by ransomware. Of that number, 44 per cent said their organization had paid a ransom. And of them, fewer than half – 42 per cent, said they got full access to their data back. Forty-nine per cent said they only got partial access back. Seven per cent who paid said they never got their data back.
Experts in other reports have said problems with data access can range from poor decryption keys to hackers who lie.
“It it is important to recognize what the data demonstrates,” says the report. “Payment is far from a guaranteed ransomware recovery strategy.”
While many ransomware groups demand victim firms pay the full ransom demanded, that, too, is no guarantee data access will be restored. Fifty-five percent of respondents said when their organizations paid the full ransom they got full data restoration. Negotiating, the report, says, may make things worse: Only 32 per cent of organizations that negotiated the ransom received full data restoration.
Another notable statistic: 15 per cent of respondents whose organizations suffered a ransomware attack said they were re-infected by the same ransomware after recovery.
“The ransom payment is what gets the headlines but it really only accounts for 16 per cent of the total costs to get back to business as usual,” Kevin Lonergan, senior strategy manager with Telus Business, said in an email to ITWorldCanada.
“Given today’s hyper-competitive market, where technology drives competitive advantage, seeing 45 per cent of organizations report delayed or canceled IT projects and 37 per cent report delayed or canceled business investments, it becomes clear how an incident could set an organization behind its competitors and cost them future market share.
“The bottom line, no organization is immune, we’re all in this together. Proactive preparedness is key to protecting your organization, data and customers.”
The survey covered 463 IT leaders or decision-makers from organizations with 50 or more employees. Eighty per cent of them said they were “very knowledgeable” about their organization’s cybersecurity strategy, with the remaining 20 per cent saying they were “knowledgeable.”
The report, released earlier this month, also found that the average ransom paid was $140,000. Significantly more was paid by larger organizations. That doesn’t include the direct or indirect costs of the breach such as lost revenue, hardware or software that needed to be replaced or re-imaged, delayed or canceled IT or business projects and loss of employee productivity.
The real total, the report estimates, ranges from $500,000 for small organizations to $1.5 million for larger organizations.
Just under half of the respondents said the top reason for not paying was high confidence levels in their data backups. Thirty-eight per cent said bad publicity was at least a consideration for not paying, while almost equal numbers said they didn’t believe the hackers would restore data access, or their company leaders advised against paying.
Given the impact a ransomware attack can have on a firm, the report says it is surprising only 57 per cent of respondents said their organization periodically updates and tests its ransomware response plan.
“Having an up-to-date response plan could make the difference between maintaining an organization’s reputation and facing significant negative publicity,” the report says.
Here’s why: Some organizations under-estimate how long it will take to contain a ransomware attack. Forty-five percent of respondents who didn’t experience a successful attack believed that their response time would be less than a day. However, among respondents whose organizations had been victimized, just over half said it took more than one day but less than a week to effectively contain and eradicate an attack. Twenty-two per cent said it took them weeks or months.
For 86 per cent of respondents, the ransomware attack infected only endpoint devices, and those attacks were contained and eradicated within a week, the report says. However, when attacks extend into other on-premises IT systems or cloud systems, response times grow to beyond a week.
The report also urges IT leaders not to put all their hopes on insurance companies for recovering ransomware costs.
“Cyber insurance as a ransomware risk management tool is less effective than a preventative approach,” says the report. Of the survey group, only 40 per cent had cyber insurance. In the last 12 months, 66 per cent of them had submitted a claim for ransomware attacks. Of these, 79 per cent received a payout — but insurance coverage for 28 per cent of them was dropped. Eight percent didn’t receive any payout at all. A further nine per cent are still waiting for a payout.
Telus says for ransomware defence, organizations need to
- have a formal vulnerability management program;
- create, review, and test an incident response plan;
- have a layered IT defence including strong email filtering, endpoint protection and response, round the clock network monitoring
- and have an employee security awareness training program.
Here is a link to the full study. Registration is required.