Survey finds that IT departments victimized by ransomware forever changed

IT managers at organizations hit by ransomware are nearly three times as likely to feel "significantly behind" when it comes to understanding cyberthreats, compared to their peers that have never been hit.

IT technician with network equipment and cables

Image: Getty Images/iStockphoto

The tsunami of ransomware attacks hitting enterprises this year is having a noticeable effect on IT managers across the world, according to a new survey from cybersecurity company Sophos. 

The "Cybersecurity: The Human Challenge" survey featured responses from 5,000 IT managers and business leaders in January and February. The respondents hail from 26 countries on six continents and are employed by organization's of all sizes in a variety of industries. 

There was a clear difference in responses between those who had lived through a ransomware attack and those who had not experienced one. More than half of all respondents said their organizations had been through a ransomware attack in the last year and cybercriminals were successful in encrypting data in 73% of these attacks, according to Sophos.

SEE: Big data's role in COVID-19 (free PDF) (TechRepublic)

One of the key factors that tied many ransomware victims together in the survey was that those IT managers often put more of a focus on detection and response. Organizations that had not been hit by ransomware spent more time on prevention methods, according to the survey's findings. 

"The difference in resource priorities could indicate that ransomware victims have more incidents to deal with overall. However, it could equally indicate that they are more alert to the complex, multi-stage nature of advanced attacks and therefore put greater resource into detecting and responding to the tell-tale signs that an attack is imminent," said Chester Wisniewski, principal research scientist at Sophos.

Ransomware attacks also had a drastic effect on the confidence of IT managers and their teams when it came to understanding the threat landscape. Those who had lived through these kinds of attacks were three times more likely to feel as though they were significantly behind on the latest cyberthreats.

This discrepancy held for people at all levels of the IT management tree as well as business leaders. 

"It's important to remember that these responses are the perception of the survey respondent rather than a measure of how up to date they actually are. It may be that being hit by ransomware is a reality check and, as a result of their experiences, ransomware victims have a far more accurate understanding of the situation," the survey said, adding that cloud-based breaches and third-party mistakes were often the root cause of many problems. 

"Cloud security is also a challenge with 70% of organizations that host data or workloads in the public cloud experiencing a security incident in the last year. Another challenge IT teams face is securing third-party organizations that can connect directly to their network, such as accounting services or IT providers."

The average respondent said they have at least three different suppliers connected to their systems but responses varied based on region. More than 20% of respondents had at least five suppliers connected to their system and the figures reached above 30% in the Czech Republic, India, Malaysia, and Sweden. Canada and Poland were at the opposite of the spectrum, with just 10% of respondents reporting that they have five or more suppliers with remote access.

Nearly 30% of the ransomware-hit organizations had five or more suppliers linked directly into their network, according to the study, compared to just 13% of those who had not experienced a ransomware attack. About 10% of victimized respondents specifically cited third-party access as the root cause of their attack. 

The survey also makes a point to highlight the shift toward human-center threat hunts as part of a larger security ecosystem that includes automation. These efforts are complicated by what respondents said was a shortage of cybersecurity talent and an inability to keep people in house.  

"IT security teams need to be on full alert 24 hours a day, seven days a week and have a full grasp of the latest threat intelligence on attacker tools and behaviors. The survey findings illustrate clearly the impact of these near-impossible demands. Among other things, those hit by ransomware were found to have severely undermined confidence in their own cyberthreat awareness," Wisniewski said. 

"However, their ransomware experiences also appear to have given them a greater appreciation of the importance of skilled cybersecurity professionals, as well as a sense of urgency about introducing human-led threat hunting to better understand and identify the latest attacker behavior. Whatever the reasons, it is clear that when it comes to security, an organization is never the same again after being hit by ransomware."

Human-led threat hunting was more common in China, Spain, India, and South Africa, which all had more than 60% of respondents say they have implemented the approach. Around 30% of respondents in Turkey, Nigeria, and Poland said they were using the human-centered method.

Organizations that had been hit with ransomware attacks were also more likely to have implemented human-led threat hunts in an effort to avoid another incident, according to the survey. 

Enterprises are also outsourcing IT security at high rates as well, with 65% reporting that they do it in some capacity. About half of respondents said they use a hybrid combination of in-house security teams and outsourcing. More than 70% of respondents at organizations in China, the UAE, Malaysia, and Singapore reported outsourcing IT security while enterprises in Belgium, France, and Nigeria were closer to 50%. 

"The global trend is for outsourcing to increase over the next two years, from the current 65% to almost three quarters (72%) in 2022. The biggest change will be in the percentage of organizations that exclusively use in-house staffing: this is set to drop from 34% to 26%," the study said. 

"Respondents in Spain and India plan to increase in-house only IT security management – while the numbers are relatively small (from 34% to 37% in Spain, and from 33% to 34% in India) it is interesting that they plan to buck the global trend." 

Half of the respondents in the Philippines reported that they were preparing to outsource all of their IT security by 2022. Respondents from other countries like Czech Republic, Nigeria, Sweden, and Australia were all planning to move toward outsourcing IT security. 

John Shier, senior security adviser at Sophos, said that threat groups are constantly evolving their tactics, forcing IT security teams into demanding roles that require them to be on full alert 24/7. 

"The survey results make one thing clear: The impacts of a ransomware attack reach much further than technological or financial consequences on the business – they also take a toll on the humans behind IT security and their abilities to address future threats," Shier said.

"Experiencing a ransomware attack firsthand adds even greater strain, undermining confidence in their own abilities and preparedness. Regardless of past experience however, it's important that organizations prioritize threat prevention and put measures in place that can stop ransomware attacks in the first place."

Also see