To pay hackers’ ransom demands or to invest in more security?

One third of global business decision makers report that their organization would try to cut costs by paying a ransom demand from a hacker rather than invest in information security.

The findings from the latest Risk:Value report, commissioned by NTT Security, show that a further 16 percent are not sure if they would pay or not, leaving just half of respondents prepared to invest in security and take a less reactive approach to the protection of their organization.

Examining business attitudes to risk and the value of information security, te company’s annual Risk:Value report surveyed 1,800 C-level executives and other decision makers from non-IT functions in 12 countries across Europe, the US and APAC and from across multiple industry sectors.

The findings are particularly concerning, given the growth in ransomware. According to NTT Security’s Global Threat Intelligence Report (GTIR) published in April, ransomware attacks surged by 350 percent in 2017, accounting for 7 percent of all malware attacks worldwide, while in EMEA, ransomware represented 29 percent of all attacks in the region.

Confidence levels and estimated costs of a breach

Levels of confidence about being vulnerable to attack also seem to be unrealistic. Around half of respondents (47 percent) claim that their organization has not been affected by a data breach, although of these 14 percent expect to suffer one, while a third do not expect to suffer from a breach at all. More worrying is the 12 percent globally who are not sure, an average driven up by the one in five (22 percent) in the UK who do not know if they have suffered a breach or not.

When it comes to the impact of a breach, respondents are most concerned about what a data breach will do to their image, with more than half concerned about loss of customer confidence (56 percent) and damage to reputation (52 percent).

The financial losses from a breach come second after image, according to the report. The estimated loss in terms of revenue is 10.29 percent on average, up from 2017’s 9.95 percent, although executives in Europe are more optimistic, expecting lower revenue losses than those in the US or APAC. The estimated cost of recovery has increased to $1.5m, up from $1.3m in 2017 and $900k in 2015, while encouragingly respondents anticipate it would take 57 days to recover, down from 74 days in 2017.

Whose responsibility is it anyway?

According to the report, there is no clear consensus on who is responsible for day to day security, with 22 percent of respondents saying the CIO is responsible, compared to 20 percent for the CEO and 19 percent for the CISO. This suggests that no single role is stepping up to the plate.

One area of consensus, however, is the need for regular boardroom discussions about security, with 81 percent of respondents agreeing that preventing a security attack should be a regular item on the Board’s agenda, up from 73 percent last year. But only 61 percent admit it is, a marginal increase from 56 percent in 2017.

How prepared are organizations?

Respondents this year estimate that the operations department spent more of its budget on security (17.84 percent on average) than the IT department did (14.32 percent on average) – for the second year in a row. In fact, IT spent less of its budget on security this year than in 2017 (14.58 percent).

Year on year, the NTT Security Risk:Value report shows that companies are still failing when it comes to communicating information security policies. More than half (57 percent) claim to have a policy in place, just 1 percent up from last year, while 26 percent are working on one. While 81 percent of respondents with a policy in place say this is actively communicated internally, just 39 percent admit that employees are fully aware of it.

Comparing this year’s figures to 2017, it appears that organizations are also failing to progress their incident response plans. Less than half (49 percent) say they have implemented a plan, with a further 30 percent in the process, a change from 48 percent and 31 percent respectively in 2017. This suggests that just 1 percent have finished a response plan since last year.

Stuart Reed, Senior Director Market Strategy at NTT Security comments: “This year’s report suggests that many organizations are falling into the trap of making the same mistakes when it comes to effectively communicating their security policies internally and progressing their response plans in the event of a breach. Many are stuck in a reactive mindset when it comes to security. This is reinforced by the fact that more than a third would rather pay a ransom demand than invest in cybersecurity, especially given the rise in ransomware detections and global headline-grabbing incidents like WannaCry.

“But we are encouraged by the fact that the majority of respondents are prepared to take a long-term, proactive stance when it comes to security, and are supportive of it becoming a regular discussion item at the Board level. The fact that more businesses are also looking to work with third party providers to support them in their security efforts is also a very positive step.”