Security Professionals View Ransomware and Terrorism as Equal Threats

December 29, 2021 - In a survey of more than 1,500 security professionals, 60 percent of respondents reported viewing ransomware and terrorism as equal threats. Sapio Research conducted the survey on behalf of machine identity management provider Venafi.

The findings echoed the sentiments of the Department of Justice (DOJ), which announced in June 2021 that it would prioritize ransomware attacks at a level it previously reserved only for terrorism, Reuters reported.

The healthcare industry and other critical infrastructure sectors have been hit especially hard by ransomware in recent years, and the attacks are not slowing down. Over 500 healthcare organizations reported data breaches involving protected health information (PHI) to HHS’s Office for Civil Rights (OCR) in 2021.

Two-thirds of surveyed security professionals reported that their organization had suffered a ransomware attack over the past 12 months. Both large and small companies were impacted significantly by ransomware in the past year.

Despite the increase in attacks, 77 percent of respondents still said that they are confident that their current security tools will protect them from future ransomware attacks.

“However, this confidence varies by job title, indicating slightly less confidence from security team leaders than from C-level executives in the efficacy of their current toolsets,” the survey pointed out.

The findings validated previous (ISC)² research that showed a disconnect between cybersecurity leaders and C-suite executives when it comes to communicating ransomware risks.

Over a third of respondents said they would pay the ransom, but 57 percent of those respondents said they would reverse that decision if they had to publicly report the payment. The Ransomware Disclosure Act could potentially require companies to report ransomware payments within 48 hours. For healthcare, breaches impacting over 500 individuals must be reported to HHS.

The survey also found that most current defense-in-depth security controls are not fit for modern IT infrastructures.

“Organizations use a wide variety of security controls designed to protect against or limit the impact of a ransomware attack,” the report explained.

“However, most of these security controls are not optimized to handle perimeterless networks, let alone the infrastructure changes resulting from digital transformation. In particular, DevOps methodologies and software-defined networks require different security strategies to break the ransomware kill chain.”

Over 40 percent of respondents reported using VPNs, and many others reported using regular encrypted backups, anti-phishing technology, and vulnerability scanning. Of all the security controls explored, only a few are designed to actually break the ransomware kill chain, the research stressed.

Despite their confidence in current security practices, more than three-quarters of surveyed security professionals reported that their organization was planning to increase their ransomware budget for the next year.

“These numbers suggest that security teams realize their current strategies do not provide enough protection, along with the likelihood that ransomware threats will continue to increase in 2022,” the report concluded.

“InfoSec teams may justify these investments because the cost of ransomware attack— regardless of whether it is successful—can quickly rise far beyond the cost of the ransom price itself.”