Cohesity Finds Organizations Overestimate Cyber Resilience, Risking Continuity and Ransom Payments

Almost Half of Companies Need Over 6 Days To Recover Data & Restore Usual Business Processes

Cyber resilience research commissioned by Cohesity, a leader in AI-powered data security, reveals organizations overestimate their cyber resilience capabilities and maturity, leading to significant business continuity disruptions and ransom payments. The Cohesity Global Cyber Resilience Report 2024 polled from over 3100 IT and Security decision-makers in eight countries¹ confirms the threat of cyberattacks – especially ransomware – continues to rise, with the majority of respondents falling victim to a ransomware attack in the last six months, and most having paid a ransom in the past year. Moreover, most respondents said the threat of cyberattacks to their organization’s industry of operation has or will increase in 2024 compared to 2023.

Also Read: How the Art and Science of Data Resiliency Protects Businesses Against AI Threats

“Organizations may have the greatest confidence in their cyber resilience … but the reality is that the majority are paying ransoms or would pay a ransom, so organizations are overconfident or overestimate their cyber resilience.” @cohesity

According to respondents, companies’ cyber resilience strategies are holding up against a worsening cyber threat landscape, with close to 4 in 5 (78%) respondents saying they have confidence in their company’s cyber resilience strategy and its ability to ‘address today’s escalating cyber challenges and threats’.² At the same time, over 2 in 3 (67%) respondents revealed they had been the ‘victim of a ransomware attack’ in 2024; 96% said the threat of cyberattacks to their industry would increase or had increased this year, with close to 3 in 5 (59%) saying it had or will increase by over 50% compared to 2023.

Organizations Are Paying Ransoms & Breaking ‘Do Not Pay’ Policies

However, despite the majority of respondents saying they were ‘mostly confident’ or had ‘complete confidence’ in their organization’s cyber resilience strategy, only 6% of respondents said their company would not pay a ransom to recover data and restore business processes, or do so faster, with 83% saying they would.³ In fact, 3 in 4 (75%) respondents globally said their company would be willing to pay over US$1 million in ransoms to recover data and restore business processes, and over 1 in 5 (22%) said their company would be willing to pay over US$5 million.

Concerningly, close to 7 in 10 (69%) respondents said their organization had paid a ransom in the last year, before being surveyed, despite 77% saying their company had a ‘do not pay’ policy. The more than 2100 respondents, who have paid a ransom, said they had paid ransoms⁴ in the past year totaling:

• 37% have paid ransom(s) between US$1 – US$249,999
• 23% have paid ransom(s) between US$250,000 – US$499,999
• 23% have paid ransom(s) between US$500,000 – US$999,999
• 12% have paid ransom(s) between US$1,000,000 – US$2,999,999
• 6% have paid ransom(s) between US$3,000,000 – US$9,999,999
• 0.33% (7 respondents) have paid ransom(s) between US$10,000,000 – US$25,000,000

“The reality for organizations is that destructive cyberattacks, like ransomware, are a ‘when’ not ‘if’ reality that threatens their business continuity. However, organizations can tackle this reality head-on by enhancing their cyber resilience – the ability to rapidly respond and recover from cyberattacks or traditional business continuity scenarios – by adopting modern data security, response, and recovery capabilities,” said Brian Spanswick, CISO and CIO, Cohesity. “Organizations may have the greatest confidence in their cyber resilience, both in their strategy and capabilities, but the reality is that the majority are paying ransoms or would pay a ransom, so organizations are overconfident or overestimate their cyber resilience.”

Companies’ Confidence In Cyber Resilience Doesn’t Match Recovery & Restoration Realities

Cyber resilience is the technology backbone for business continuity. Cyber resilience defines companies’ ability to recover their data and restore business processes when they suffer a cyberattack. However, cyber resilience remains a challenge that threatens business continuity, according to respondents:

• Only 2% of respondents said they could recover data & restore business processes within 24 hours
• 18% said their company could recover data and restore business processes within 1-3 days
• 32% said they could recover and restore in 4 to 6 days, while 31% would need 1-2 weeks
• Almost 1 in 6 (16%) need over three weeks to recover data and restore business processes

Conversely, when asked what their organization’s ‘targeted optimum recovery time objectives (RTO) to minimize business impact in the event of a cyberattack or incident of compromise’ was, 98% of respondents said their target was within one day, despite only 2% saying they could recover data and restore business processes within this same period. Almost 1 in 2 (45%) said their targeted optimum RTO was within two hours.

Customers and consumers expect consistent continuity of operations or services, which is why effective cyber resilience is vital. Yet, only 2% said their organizations’ tolerance to disruption of business continuity and downtime due to a cyberattack or data breach was within 24 hours. In fact, 31% of respondents said their business’ tolerance for downtime was between 1-3 days, 53% said up to 4-6 days, and 12% said more than a week. Interestingly, almost 1 in 2 (49%) respondents said they had stress-tested their ‘data security, data management, and data recovery processes or solutions’, by simulating a response to a cyber event or data breach, in the past six months.

Also Read: AI and Big Data Governance: Challenges and Top Benefits

Zero Trust Security & Data Privacy Remains A Challenge Despite Enhanced Regulations & Legislation

Over half (54%) of respondents said their ‘centralized visibility’ of critical data between IT & Security could be improved to detect anomalies and determine sensitive data exposure or breaches. When asked about their data access control measures to align with zero trust security principles, barely more than half of companies had deployed multi-factor authentication, and less than half had deployed features requiring multiple approvals before changes to data or role-based access controls:

• Multi-factor Authentication (MFA): 52%
• Quorum Controls or Administrative Rules requiring multiple approvals: 49%
• Role-Based Access Control (RBAC): 46%

“The most vital element of cyber resilience is the ability to recover business-critical data that restores key business processes. But you can’t restore critical data if you don’t secure it first from external or internal threats. This starts with deploying effective data access controls like multi-factor authentication (MFA) and role-based access controls (RBAC),” said Brian Spanswick, CISO and CIO, Cohesity. “The fact that almost 1 in 2 organizations are not implementing these controls to protect sensitive data is alarming and demonstrates a significant risk to an organization’s cyber resilience. Especially given that everyday consumers and end-users are often – and rightly – required to have MFA enabled to secure their account credentials, with MFA also an important defense measure against AI-based attack techniques.”

Despite governments and public institutions going to great lengths to encourage more robust cybersecurity, data protection, and data privacy measures, only 42% of respondents said they had all the IT & Security technology capabilities to identify sensitive data and comply with applicable data privacy laws and regulations. Yet, 79% of respondents also said that ‘advanced threat detection, data isolation, and data classification were vital’ to their organization’s qualification for cyber insurance or to secure discounts on their cyber insurance policies.

When asked ‘What, if any, industries and/or sectors do you think are most impacted by cyberattacks?’, respondents selected these as the ‘Top 7’ industries or sectors most impacted⁵:

Globally:

1. IT & Technology – 40%
2. Banking & Wealth Management – 27%
   Financial Services (including insurance companies) – 27%
3. Telecommunications & Media (including streaming services) – 24%
4. Government & Public Services – 23%
5. Utilities (including Water, Electricity, Gas, and other energy services companies) – 21%
6. Manufacturing – 21%

AI A Plus & Minus In Managing Escalating Cyber Threats

According to respondents, organizations must now contend with AI-based cyberattacks or cyber threats, with 4 in 5 (80%) respondents saying they had responded to what they believe to be AI-based attacks or threats within the last 12 months. Of those respondents who said: “Yes”, 82% said they had the ‘necessary AI-powered solutions to counter and respond to these attacks.’ Of the 18% who said they had not responded to AI-based cyberattacks or cyber threats in the past year, less than half (49%) said they have the ‘necessary AI-powered solutions to counter and respond to these attacks’, over a third (36%) said they do not, and close to 1 in 7 (15%) said they were unsure.

“Cyber resilience is critical because the incentive and motivation of attackers is so high, with attack surfaces incredibly vast, so a reliance on protective controls is unrealistic,” said Brian Spanswick, CISO and CIO, Cohesity. “Successful cyberattacks and data breaches severely disrupt business continuity, impacting revenue, reputation, and customer trust. This risk must be at the forefront of business leaders’ priorities, not just IT and Security leaders. Similarly, regulation and legislation should not be seen by companies as the ‘ceiling,’ but instead the ‘floor,’ in both developing cyber resilience and adopting data security or recovery capabilities.”

[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]