Most firms pay millions in ransom, expect attacks to worsen

Pervasive cyberattacks are forcing the majority of companies to pay ransoms and break their “do not pay” policies, with data recovery deficiencies compounding the problem, new research commissioned by Cohesity shows. 

The research was conducted by Censuswide, which polled from 902 IT and security decision-makers — who are based in in Australia, the United Kingdom, and the United States — found that companies firmly operate in a “when,” not “if” reality of cyberattacks. 

Most companies have paid a ransom in the last two years, and the vast majority expect the threat of cyberattacks to increase significantly in 2024 compared to 2023.

Results show that 79% respondents said their company had been the “victim of a ransomware attack” between June and December 2023. 

The cyber threat landscape is expected to get even worse in 2024, with 96% of respondents saying the threat of cyberattacks to their industry will increase this year and 71% predicting it will increase by more than half.

Organisations’ attack surfaces are informed by the size and scope of their data environments. However, 78% of respondents said their data security risk has now increased faster than the growth in the data they manage. 

Respondents also believe organisations’ cyber resilience and data security strategies are not keeping up with the current threat landscape, with just 21% having full confidence in their company’s cyber resilience strategy and its ability to “address today’s escalating cyber challenges and threats.”

All respondents said they need over 24 hours to recover data and restore business processes.

Just 7% said their company could recover data and restore business processes within one to three days.

More than a third (35%) said they could recover and restore in four to six days, while 34% need one to two weeks.

Almost a quarter (23%) need over three weeks to recover data and restore business processes.

Further demonstrating cyber resilience gaps, just 12% said their company had stress-tested their data security, data management, and data recovery processes or solutions in the six months prior to being surveyed, and 46% had not tested their processes or solutions in over 12 months.

And yet, 94% of respondents said their company would pay a ransom to recover data and restore business processes, while 5% said “maybe, depending on the ransom amount.” 

More than two-thirds (67%) said their company would be willing to pay over $3 million to recover data and restore business processes, with 35% of respondents saying their company would be willing to pay over $5 million. 

The research also showed the importance of being able to respond and recover, as nine in 10 said their organisation had paid a ransom in the prior two years, despite 84% saying their company had a “do not pay” policy.

Brian Spanswick, CISO and head of IT at Cohesity, said organisations can’t control the increasing volume, frequency, or sophistication of cyberattacks such as ransomware. What they can control is their cyber resilience, which is the ability to rapidly respond and recover from cyberattacks or IT failures by adopting modern data security capabilities. 

“It is no surprise that the majority of companies have been hit by cyberattacks like ransomware,” said Spanswick.

“What is alarming is that 90% have paid a ransom, breaking their “do not pay’ policies, and most are willing to pay over $3 million in ransoms because they can’t recover their data and restore business processes, or do so fast enough,” he added.