The CyberEdge Group has released a new report that suggests that ransomware attacks are becoming increasingly lucrative for cybercriminals. The ninth annual Cyberthreat Defense Report (CDR) specifically found that almost two-thirds (63 percent) of the organizations hit with a ransomware attack opted to pay the ransom to recover their stolen data.
That success rate is up from 39 percent in 2017, and helps to explain why more and more fraudsters are embracing the ransomware strategy. Fifty-five percent of organizations suffered a ransomware attack in 2017, and that figure is now up to 71 percent in 2022.
According to the CDR, large organizations are paying the ransom because doing so is often viewed as safer and more cost effective than fighting it. A full 72 percent of the organizations that paid a ransom got their data back, and in many cases, the size of that ransom was less than the amount that would be lost if a system were to go down, or the cost of a lawsuit if hackers leak customer data. The fact that fraudsters are returning data also gives organizations more confidence in the transaction, insofar as they are more likely to get what they pay for.
“These days, being victimized by ransomware is more of a question of ‘when’ than ‘if,’” said CyberEdge Group Founder and CEO Steve Piper. “Deciding whether to pay a ransom is not easy. But if you plan ahead, and plan carefully, that decision can be made well in advance of a ransomware attack so time isn’t wasted as the ransom payment deadline approaches.”
Of course, most organizations would prefer not to deal with a ransomware attack. The problem is that few organizations have the personnel needed to implement an effective cybersecurity strategy. Eighty-four percent of the CDR respondents reported a shortage of skilled IT professionals, and many organizations are not taking proper steps to train the employees they already have. On that front, the CDR found that organizations seldom follow up with employees about security best practices after they are hired, even though most data breaches can be attributed to poor security training and human error.
In that regard, organizations regarded the human component as a bigger security challenge than budget or technology concerns. The vast majority (83 percent) of organizations increased their security budget in the past 12 months. Many of those organizations are investing in biometric access control as they try to secure hybrid networks and mobile devices.