CISOs Have Lost Confidence in Ability to Quash Ransomware
CISOs in the U.S., the UK and Canada are beginning to buckle under the crushing weight of escalating ransomware attacks.
Despite growing budgets to defend against ransomware—budgets have grown by 86%, according to SpyCloud research—it is not enough to counter the onslaught of attacks. Nearly all of the 310 respondents in active IT security roles (90%) in the SpyCloud 2022 Ransomware Report felt the effects of a ransomware attack in the last year—many of them multiple times over. Half of those surveyed said they experienced two to five ransomware incidents.
“Organizations feel less confident about their defenses this year,” the report found, and noted “a slight across-the-board decrease in the number of organizations indicating their existing ransomware mitigation solutions are in good shape and an uptick in organizations looking to upgrade or add new security technologies.”
More organizations “have implemented ‘Plan B’ measures this year, from opening cryptocurrency accounts to purchasing ransomware insurance riders,” which the report said, “suggest that organizations realize threats are slipping through their defenses and a ransomware attack is inevitable.”
The greatest risks faced by organizations are unpatched vulnerabilities, phishing emails and unmanaged devices, cited as the three riskiest entry points for ransomware. “It’s important to understand that all of these entry points are interconnected–and together, they greatly increase the risk of a successful ransomware attack,” the report noted.
Perhaps among the most alarming—but not surprising findings—are the gaps organizations are leaving in their layered defenses. “We weren’t surprised to learn that organizations see data backup as their most important countermeasure and 67.8% are satisfied with the performance of their solution,” SpyCloud researchers said, or that user awareness and endpoint detection also sit at the top of the list of typical defenses.
“We were surprised, however, to see how many organizations overlook other important defenses,” the report said, pointing to respondents perceiving monitoring for compromised web sessions “as the third least important countermeasure.”
Coupled with other gaps in layered defenses that gives ransomware operators ample opportunities to gain access. The biggest exposure though comes from a lack of visibility into true compromises. “Although unpatched vulnerabilities, phishing emails and unmanaged devices deserve attention as risky attack vectors, the riskiest entry points that security teams can’t see result in an even bigger vulnerability,” SpyCloud found. “Devices infected with malware, for example, create one of the biggest exposures to ransomware, and without visibility into those devices and into the resulting accounts compromised through malware-siphoned data, organizations don’t have the complete picture of their risk.”
While “the findings from this research may come as a surprise to some, but ransomware isn’t something that can be fixed by simply adding more of the same when it comes to cybersecurity defenses,” said Darren Williams, CEO and founder of BlackFog. “The number of successful attacks we see clearly validates the need for a new approach, as the saying goes ‘keep doing what you’re doing and keep getting what you’re getting.’”
Noting that “fighting ransomware isn’t about throwing money at the problem,” Williams said, “it’s about rethinking everything that IT leaders have learned about cyber defense and adopting a new approach, with disruptive technologies specifically designed to prevent ransomware.”
Organizations may have been able to change the equation with perimeter defense tools and backups when ransomware was about encryption, he said, but “those days are long past us now as bad actors favor data exfiltration and extortion.”
IT security’s efforts to bolster their organizations’ security postures are hampered by numerous factors, chief among them a “lack of skilled personnel to implement solutions, difficulty implementing related tools or technologies and low security awareness among employees,” the study found. “In other words, the biggest barrier is people.”
While CISOs feel ill-equipped to deal with ransomware even as they recognize it as a continuing threat, it is the risk of being attacked through third-party connections—rated 3.99 on a five-point scale—that is driving their security investments.
Organizations should “consider all the factors that drive…risk and think holistically” when making investments in security “especially when economic factors are at play and you’re under pressure to cut expenses and maximize revenues,” SkyCloud recommended. “While you may feel tempted to halt the purchase of new security tools to fill those gaps, the financial and other impacts a breach can have on your organization will outweigh the small savings from downsizing security investments.”
BlackFog’s Williams said, “IT leaders would be wise to make the assumption that cybercriminals will get into the network if they are intent on doing so.”
By “switching the focus to preventing them from leaving with the crown jewels—the data” by using anti-data exfiltration technology will ultimately keep them one step ahead of cybercriminals,” said Williams. “When it comes to ransomware it really is all about the data, only by focusing on preventing the exfiltration of it can we really change the narrative when it comes to ransomware.”
