Dive Brief:
- Barely one in five organizations consider their organization as prepared as possible for a potential ransomware attack, according to a survey of 400 IT leaders and professionals involved in their company’s cybersecurity strategy. Almost 15% said they are very or somewhat unprepared for an attack.
- The majority of respondents said they spend less than five hours per week on ransomware preparedness. Almost one-third invest less than an hour per week on the matter.
- Organizations’ perceived state of preparedness and time spent bolstering defenses against ransomware stands out considering how many have already been hit. More than four out of 10 respondents said they’ve had a ransomware attack that resulted in infiltration or data encryption.
Dive Insight:
The gap between perceived and actual preparedness among respondents signifies the extent to which most businesses are still trying to identify and mitigate points of compromise that could be exploited by ransomware threat actors.
This split is particularly apparent in human training. Just two in five respondents said their organization fully implemented a training program for information security, email and ransomware. One in ten said their organization has no such training at all — the remainder have at least started the process.
“Humans are the weakest link and it’s almost always due to lack of training or simple human error,” Scott Lowe, CEO, co-founder and lead industry analyst at ActualTech, wrote in the report. The survey released last week was commissioned by HYCU, which provides cloud-based backup and recovery services.
The study also underscores a common theme in cybersecurity — follow through on preparedness, recovery and response is lacking, even though companies acknowledge threats. Crucial tools and services remain at heightened risk.
“A staggering 40% suffering a ransomware attack would be without business-critical systems for between two and 15 days,” Lowe wrote in the report.
To minimize downtime, organizations need to assess all of their systems and categorize them based on business importance, the study concluded. This exercise allows organizations to develop appropriate mitigation and recovery plans in line with potential risks and investments they’re willing to make in each category.