74% of ransomware victims were attacked multiple times in a year

An alarming trend toward multiple, sometimes simultaneous cyber attacks forces business leaders to re-evaluate their cyber resilience strategies to address common points of failure, including inadequate identity system backup and recovery practices, according to Semperis.

Survey of nearly 1,000 IT and security professionals shows 83% of organizations were targeted by ransomware attacks in the past year with a high degree of success, sounding alarming trends in attack frequency, severity, and consequences.

Companies are suffering successful ransomware attacks multiple times within the same year — resulting in closures, layoffs, loss of revenue and customer trust, and cancelation of cyber insurance.

“Considering that there is a 24/7 threat arrayed against today’s organizations, you can never say ‘I am safe’ or take a moment off. The best you can do is to make your environment defensible and then defend it,” said Chris Inglis, Semperis Strategic Advisor and first U.S. National Cyber Director.

“At the center of this whole discussion is business viability. Attackers are trying to hold that at risk so that they can then convince you to buy them out. If they can achieve a successful attack on identity, then they own privilege, and they can then use that privilege to their benefit,” Inglis continued.

Ransomware attacks are not a one-time threat

Despite widespread adoption of cybersecurity and disaster recovery planning, many companies are paying multiple ransoms per year.

74% of respondents that were attacked for ransom in the past 12 months were attacked multiple times, many within the span of a week.

78% of targeted organizations paid the ransom—72% paid multiple times, and 33% of those paid ransom four times or more. 87% of attacks caused business disruption—even for those that paid ransom—including data loss and the need to take systems offline. For 16% of respondents, the attack created a life-or-death dilemma.

35% of victims who paid ransom either did not receive decryption keys or received corrupted keys. 49% of respondents needed 1 to 7 days to recover business operations to minimal IT functionality after a ransomware attack, and 12% needed 7 days or more.

Identity is the new security perimeter

Although 70% of respondents said they had an identity recovery plan, signaling strong progress towards IAM-centric security, only 27% reported having dedicated, AD-specific backup systems. Without AD-specific, malware-free backups and a tested, cyber-specific recovery plan, recovery will be prolonged, increasing the chance that the organization will decide to pay ransom to restore business operations.

“For management and the Board to make an educated decision not to pay ransom, they need to know how long recovery will take and have confidence in the process. That means you must test your plan in as close to a real-world scenario as possible and present it to the Board before an attack occurs. That way, when disaster strikes, decision makers will have been confident in their ability to say ‘no’ to attackers,” said Mickey Bresman, CEO, Semperis.

Of the ongoing cybersecurity challenges organizations cited, lack of support from the Board of Directors topped the list. Other concerns included budget constraints, staffing shortages, outdated systems, and cybersecurity regulations and directives.

“Technology can help us analyze and assess what’s happening, moment by moment,” Inglis said. “It can help us respond more quickly and recover more quickly. But the thing that is most wanting now is a collective realization that we all have a part to play. That starts with the Board, not with the IT shop. The Board is accountable; the SEC has made that clear. Regulations are increasingly making it clear: cybersecurity is a business issue.”

Companies must expand their “assume breach” mindset to prepare for multiple and even simultaneous attacks.