New research commissioned by Cohesity, an AI-powered data security firm, reveals organizations overestimate their cyber resilience capabilities and maturity, leading to significant business continuity disruptions and ransom payments.

The Cohesity Global Cyber Resilience Report 2024, which polled over 3,100 IT and Security decision-makers in eight countries, confirms the threat of cyber attacks — especially ransomware — continue to rise, with the majority of respondents falling victim to a ransomware attack in the last six months, and most having paid a ransom in the past year.

Most respondents said the threat of cyber attacks to their organization’s industry of operation has or will increase in 2024 compared to 2023.

According to respondents, companies’ cyber resilience strategies are holding up against a worsening cyber threat landscape, with close to 4 in 5 (78 percent) saying they have confidence in their company’s cyber resilience strategy and its ability to “address today’s escalating cyber challenges and threats.”

At the same time, 67 percent respondents revealed they had been the “victim of a ransomware attack” in 2024, with 96 percent indicating the threat of cyber attacks to their industry would increase or had increased this year, with close to 3 in 5 (59 percent) saying it had or will increase by over 50 percent compared to 2023.

Organizations Are Paying Ransoms & Breaking ‘Do Not Pay’ Policies

Though the majority of respondents said they were “mostly confident” or had “complete confidence” in their organization’s cyber resilience strategy, only 6 percent said their company would not pay a ransom to recover data and restore business processes, or do so faster, with 83 percent reporting they would.

Globally, 75 percent of respondents said their company would be willing to pay over $1 million in ransoms to recover data and restore business processes, and 22 percent said their company would be willing to pay over $5 million.

Close to 7 in 10 (69 percent) respondents said their organization had paid a ransom in the last year, before being surveyed, despite 77 percent reporting their company had a “do not pay” policy. The more than 2100 respondents, who have paid a ransom, said they had paid ransoms in the past year totaling:

  • 37 percent have paid ransoms between $1 – $249,999
  • 23 percent have paid ransoms between $250,000 – $499,999
  • 23 percent have paid ransoms between $500,000 – $999,999
  • 12 percent have paid ransoms between $1,000,000 – $2,999,999
  • 6 percent have paid ransoms between $3,000,000 – $9,999,999
  • 0.33 percent (7 respondents) have paid ransoms between $10,000,000 – $25,000,000

“The reality for organizations is that destructive cyber attacks, like ransomware, are a when not if reality that threatens their business continuity. However, organizations can tackle this reality head-on by enhancing their cyber resilience — the ability to rapidly respond and recover from cyber attacks or traditional business continuity scenarios — by adopting modern data security, response, and recovery capabilities,” said Brian Spanswick, CISO and CIO, Cohesity. “Organizations may have the greatest confidence in their cyber resilience, both in their strategy and capabilities, but the reality is that the majority are paying ransoms or would pay a ransom, so organizations are overconfident or overestimate their cyber resilience.”

Companies’ Confidence in Cyber Resilience Doesn’t Match Recovery & Restoration Realities

Based on responses to the survey, cyber resilience remains a challenge that threatens business continuity.

Only 2 percent of respondents said they could recover data & restore business processes within 24 hours, while 18 percent said their company could recover data and restore business processes within 1-3 days.

Another 32 percent said they could recover and restore in 4 to 6 days, 31 percent would need 1-2 weeks, and nearly 16 percent need over three weeks to recover data and restore business processes.

When asked what their organization’s “targeted optimum recovery time objectives (RTO) to minimize business impact in the event of a cyber attack or incident of compromise” was, 98 percent of respondents said their target was within one day, despite only 2 percent reporting they could recover data and restore business processes within this same period. Almost 1 in 2 (45 percent) said their targeted optimum RTO was within two hours.

Just 2 percent of respondents said their organizations’ tolerance to disruption of business continuity and downtime due to a cyber attack or data breach was within 24 hours.

Nearly 31 percent of respondents said their business’ tolerance for downtime was between 1-3 days, 53 percent said up to 4-6 days, and 12 percent said more than a week.

Almost half said they had stress-tested their “data security, data management, and data recovery processes or solutions,” by simulating a response to a cyber event or data breach, in the past six months.

Zero Trust Security & Data Privacy Remains a Challenge Despite Enhanced Regulations & Legislation

Over half (54 percent) of respondents said their “centralized visibility” of critical data between IT & Security could be improved to detect anomalies and determine sensitive data exposure or breaches.

When asked about their data access control measures to align with zero trust security principles, barely more than half of companies had deployed multi-factor authentication, and less than half had deployed features requiring multiple approvals before changes to data or role-based access controls:

  • Multi-factor Authentication (MFA): 52 percent
  • Quorum Controls or Administrative Rules requiring multiple approvals: 49 percent
  • Role-Based Access Control (RBAC): 46 percent

“The most vital element of cyber resilience is the ability to recover business-critical data that restores key business processes. But you can’t restore critical data if you don’t secure it first from external or internal threats. This starts with deploying effective data access controls like multi-factor authentication (MFA) and role-based access controls (RBAC),” said Spanswick. “The fact that almost 1 in 2 organizations are not implementing these controls to protect sensitive data is alarming and demonstrates a significant risk to an organization’s cyber resilience. Especially given that everyday consumers and end-users are often — and rightly — required to have MFA enabled to secure their account credentials, with MFA also an important defense measure against AI-based attack techniques.”

Despite governments and public institutions going to great lengths to encourage more robust cybersecurity, data protection and data privacy measures, only 42 percent of respondents said they had all the IT & Security technology capabilities to identify sensitive data and comply with applicable data privacy laws and regulations. Yet, the survey found that 79 percent of respondents also said that
“advanced threat detection, data isolation, and data classification were vital” to their organization’s qualification for cyber insurance or to secure discounts on their cyber insurance policies.

When asked “What, if any, industries and/or sectors do you think are most impacted by cyber attacks?” respondents selected these as the “Top 7” industries or sectors most impacted:

Globally:

  1. IT & Technology – 40 percent
  2. Banking & Wealth Management – 27 percent
  3. Financial Services (including insurance companies) – 27 percent
  4. Telecommunications & Media (including streaming services) – 24 percent
  5. Government & Public Services – 23 percent
  6. Utilities (including Water, Electricity, Gas, and other energy services companies) – 21 percent
  7. Manufacturing – 21 percent

AI a Plus & Minus in Managing Escalating Cyber Threats

According to respondents, organizations must now contend with AI-based cyber attacks or cyber threats, with 4 in 5 (80 percent) respondents saying they had responded to what they believe to be AI-based attacks or threats within the last 12 months.

Of those respondents who had sustained an AI-based cyber attack, 82 percent said they had the “necessary AI-powered solutions to counter and respond to these attacks.”

Of the 18 percent who said they had not responded to AI-based cyber attacks or cyber threats in the past year, less than half (49 percent) said they have the “necessary AI-powered solutions to counter and respond to these attacks,” over a third (36 percent) said they do not, and close to 1 in 7 (15 percent) said they were unsure.

“Cyber resilience is critical because the incentive and motivation of attackers is so high, with attack surfaces incredibly vast, so a reliance on protective controls is unrealistic,” said Spanswick. “Successful cyber attacks and data breaches severely disrupt business continuity, impacting revenue, reputation, and customer trust. This risk must be at the forefront of business leaders’ priorities, not just IT and Security leaders. Similarly, regulation and legislation should not be seen by companies as the ‘ceiling,’ but instead the ‘floor,’ in both developing cyber resilience and adopting data security or recovery capabilities.”

The findings are based on a survey of 3139 IT & Security decision-makers (split as close to 50:50 as possible) commissioned by Cohesity and conducted by Censuswide between6/27/2024 – 7/18/2024. The top five industries that respondents selected as best representing their company’s operations were IT & Telecommunications, Manufacturing, Financial Services (incl. Insurance), Banking & Wealth Management, and Hospitals & Healthcare.