Cybersecurity debt rises as 5 in 6 firms paid ransom

Organisations increasingly find themselves under attack and are drowning in cybersecurity debt – unaddressed security vulnerabilities like unpatched software, unmanaged devices, shadow IT, and insecure network protocols that act as access points for perpetrators — according to ExtraHop.

The company’s 2023 Global Cyber Confidence Index shows that organisations experienced a significant increase in ransomware from an average of four attacks over five years in 2021 versus four attacks over the course of one year in 2022. 

Of those who fell victim, 83% admitted to paying the ransom at least once.

Conducted by Wakefield Research, the global study on which the report is based compares IT leaders’ cybersecurity practices with the reality of the attack landscape.

Findings show that outdated practices are to blame. More than three-fourths (77%) of IT decision makers say outdated cybersecurity practices have contributed to at least half of the cybersecurity incidents their organisations have experienced. 

Despite these concerning figures, fewer than one-third said they have immediate plans to address any of the outdated security practices that put their organisations at risk.

The study also found that basic cyber hygiene is lacking, with 98% of respondents are running one or more insecure network protocols, a 6% increase from 2021. 

Despite calls from leading technology vendors to retire SMBv1, which played a significant role in the explosion of WannaCry and NotPetya, 77% are still running it in their environments. 

When it comes to unmanaged devices, 53% say some of their critical devices are capable of being remotely accessed and controlled, with another 47% saying their critical devices are exposed to the public internet.

And yet, confidence in cloud security is on the rise. As organisations move mission critical applications and sensitive data to the cloud, the need to monitor cloud workloads has never been greater. 

With a greater focus on their cloud environments, 72% of respondents said they were completely or mostly confident in the security of their organisation’s cloud workloads.

“As organisations find themselves overburdened by staffing shortages and shrinking budgets, it’s no surprise that IT and security teams have deprioritised some of the basic cybersecurity necessities that may seem a bit more mundane or expendable,” said Mark Bowling, ExtraHop’s chief risk, security and information security officer. 

Bowling said the probability of a ransomware attack is inversely proportional to the amount of unmitigated surface attack area, which is one example of cybersecurity debt. 

He said the liabilities, and, ultimately, financial damages that result from this deprioritisation compounds cybersecurity debt and opens organisations up to even more risk. 

“Greater visibility into the network with an NDR solution can help reveal the cyber truth and shine a light on the most pressing vulnerabilities so they can better take control of their cybersecurity debt,” Bowling said.