By now, we’re all familiar with the need for an “assume breach” mindset where ransomware and other cyber threats are concerned. To better understand the necessity and challenges of this approach, we partnered with international market research firm Censuswide to ask organizations about their experience with ransomware attacks. What we learned about the reality of ransomware is gruesome.
Download the 2024 Ransomware Risk Report
Companies must reinforce their “assume breach” mindsets
Today, we’ve published Semperis’ 2024 Ransomware Risk Report, which examines ransomware statistics gathered from a survey of 900 companies across the US, UK, Germany, and France. This study shows that not only were the majority (83%) of these organizations targeted by ransomware in the past 12 months, but 74% of those companies were attacked for ransomware multiple times.
Based on these findings, we urge organizations to reinforce their ”assume breach” mindsets. It’s now time to make sure that “assume breach” approach is adopted across the organization —and to step up your identity defense strategy accordingly.
Most companies feel compelled to pay ransom
I’ve written and spoken many times about the reasons to resist paying ransom. Payment does not guarantee successful decryption, and many ransom payments go on to fund criminal and terrorist activities. We see resisting ransomware gangs as more than good business practice; it’s part of Semperis’ mission to be a force for good.
Yet our study also found that 78% of ransomware victims paid ransom; 72% paid more than once in the span of a year. And an alarming 32% of victims in our study paid ransom four times or more over that period.
These new ransomware statistics reveal a troubling reality. Despite the deployment of data, application, and system backups, and despite the implementation of identity recovery plans, most companies still feel compelled to pay ransom.
Identity threat detection and response still falls short for many
Semperis has helped some of the world’s largest organizations defend their identity systems and thereby strengthen their operational resilience. Our experts understand that a key capability in the fight against ransomware is the ability to defend and recover Tier 0 identity systems like Active Directory (AD).
Our study shows something that our experts have long understood: An effective defense against cyber threats doesn’t end with endpoint protection. For most organizations, Active Directory is at the heart of operational resilience. And the ability to quickly recover Active Directory is a deciding factor in the ability to say “no” to ransomware attackers.
Because AD manages access to nearly all users, groups, applications, and resources, it is a top target for attackers. Yet only 27% of the companies we surveyed said that they maintain dedicated, Active Directory–specific backups.
Traditional means of AD recovery rely on time-consuming, manual processes. Many other approaches rely on backups that don’t isolate Active Directory from the operating system, enabling attackers to plant backdoors and malware that frustrate recovery efforts or open a path for future attacks.
The industry often notes that identity has become the new security perimeter. Our study shows that businesses are adopting identity protection plans. Yet these new ransomware statistics also show that without the tools to quickly recover Active Directory—the heart of the identity infrastructure—to a known safe state, those plans clearly don’t equate with the ability to fend off ransomware attacks.
Essential protection strategies for business leaders
So, why aren’t organizations stepping up their AD-specific defenses? Many participants in our study expressed concern with a lack of Board support for their cybersecurity efforts. In our experience, the best way to address this concern is for CISOs and CIOs to put the price of identity security and resilience into straightforward business terms, weighing the benefits of cyber defense against the total costs of ransomware.
Our study confirms that these costs go beyond a single ransom payment. Many study participants noted multiple payments, as well as loss of cyber insurance, layoffs and resignations, reputational damage, fines and lawsuits, and temporary and permanent business closures.
As Chris Inglis, former US National Cyber Director and a Semperis Strategic Advisor, has said, “The job of a CISO is to extend the aspirations of the business, using digital infrastructure. CISOs can say, ‘I’ve read the business plan. This is how we extend that plan using digital infrastructure.’ That makes the Board’s hearts sing … and creates a beneficial, virtuous circle in terms of how then to we feed resources [to cybersecurity efforts] so that the CISO can lead as they’re expected to do.”
We hope that the ransomware statistics in the 2024 Ransomware Risk Report will help CISOs and other IT and cybersecurity leaders open productive conversations with Board members in a concerted effort to improve both identity security and operational resilience. We would love to hear your thoughts on the report and your own challenges with ransomware. Find Semperis on LinkedIn to join that conversation.