A survey of UK IT decision makers has revealed that 69% of large organizations in the United Kingdom expect to be attacked with ransomware in the next 12 months, while 44% have already experienced a ransomware attack. Out of the organizations that had already been attacked, three quarters believed they would be attacked again in the next 12 months.
The threat from ransomware is well understood in the United States, but news isn’t getting through on the other side of the Atlantic. While IT decision makers should be aware of the ransomware threat, worryingly one in ten IT decision makers were not even aware what ransomware is and two in ten were not aware of how ransomware works.
If those in charge of IT security are not aware of the extent of the problem, it doesn’t bode well for end users – the individuals who are most likely to inadvertently install ransomware.
While it is worrying that the ransomware threat is not fully understood by many IT professionals, what is even more alarming is the lack of precautions against ransomware attacks. Only 86% of organizations keep a backup of data off site, and while 97% of organizations claim to have an automated backup system, 41% of organizations have not fully backed up their data in the past two years.
It is therefore no surprise that 64% of surveyed organizations that have been infected with ransomware ended up paying the ransom. Unfortunately, 20% of those companies were unable to recover their data even when the ransom was paid.
It is clear that there are large knowledge gaps that need to be addressed in the UK and that ransomware protections need to be improved. The survey data show that ransomware gangs cannot be relied upon to supply working keys to decrypt data. It is therefore essential that viable backups of data exist. Not only must regular backups be made, IT departments must ensure backups are tested to ensure that data can be recovered.
Employee training sessions are also an essential part of any ransomware prevention strategy. In addition to conducting cyber-awareness and anti-phishing training, it is also important to test employees’ knowledge and put their newly acquired skills to the test. Simulated phishing exercises should be conducted to ensure that the training has been effective. After all, it only takes one individual to fall for a phishing email for an entire network to be taken out of action.