Ransomware Threat Just as Urgent as Terrorism, Say Two-Thirds of IT Pros

Nearly two-thirds (60%) of security professionals believe the threat of ransomware should be treated with the same urgency as terrorism, according to new research by Venafi.

The survey of 1500 IT security decision-makers from the UK, US, Australia, France, Germany, Benelux and the US highlights the growing concerns about the scale and damage of ransomware attacks, which have surged during the COVID-19 crisis.

More than two-thirds (67%) of respondents from organizations with over 500 employees experienced a ransomware attack over the past 12 months. For organizations with 3000-4999 employees, that figure rose to an astonishing 80%.

Of those organizations that have been breached, 17% admitted they paid the ransom. US respondents paid most often (25%), while Australian firms paid the least often (9%).

Worryingly, over a third (37%) of the IT decision-makers admitted they would pay a ransom following a successful attack. However, over half (57%) of this group said they would reverse that decision if they were required to publicly report the payment. This requirement could be put into law in the US under the Ransomware Disclosure Act, a bill recently introduced to the US Senate. This would force organizations to disclose any ransom payments to the Department of Homeland Security (DHS).

Less than a quarter (22%) said they believed paying a ransom to be “morally wrong.”

Despite the growing menace of ransomware, over three-quarters (77%) of the respondents said they were confident the tools they have in place will protect them from these attacks. Australian IT decision-makers had the most confidence (88%) of all the countries included.

However, the survey also found that most organizations do not use security controls that can prevent ransomware attacks early in their life cycle. For example, just 21% restrict the execution of all macros within Microsoft Office documents and under a fifth (18%) restrict the use of PowerShell using group policy.

Kevin Bocek, vice president ecosystem and threat intelligence at Venafi, commented: “The fact that most IT security professionals consider terrorism and ransomware to be comparable threats tells you everything you need to know—these attacks are indiscriminate, debilitating and embarrassing.

“Unfortunately, our research shows that while most organizations are extremely concerned about ransomware, they also have a false sense of security about their ability to prevent these devastating attacks. Too many organizations say they rely on traditional security controls like VPNs and vulnerability scanning instead of modern security controls, like code signing, that are built into security and development processes.”

What’s Hot on Infosecurity Magazine?