Cohesity Research Finds Organizations Overestimate Their Cyber Resilience, Leading to Business Continuity Issues & Ransom Payments

Almost Half of Companies Need Over 6 Days To Recover Data & Restore Usual Business Processes

Cyber resilience research commissioned by Cohesity, a leader in AI-powered data security, reveals organizations overestimate their cyber resilience capabilities and maturity, leading to significant business continuity disruptions and ransom payments. The Cohesity Global Cyber Resilience Report 2024 polled from over 3100 IT and Security decision-makers in eight countries¹ confirms the threat of cyberattacks - especially ransomware - continues to rise, with the majority of respondents falling victim to a ransomware attack in the last six months, and most having paid a ransom in the past year. Moreover, most respondents said the threat of cyberattacks to their organization's industry of operation has or will increase in 2024 compared to 2023.

According to respondents, companies’ cyber resilience strategies are holding up against a worsening cyber threat landscape, with close to 4 in 5 (78%) respondents saying they have confidence in their company’s cyber resilience strategy and its ability to ‘address today’s escalating cyber challenges and threats’.² At the same time, over 2 in 3 (67%) respondents revealed they had been the ‘victim of a ransomware attack’ in 2024; 96% said the threat of cyberattacks to their industry would increase or had increased this year, with close to 3 in 5 (59%) saying it had or will increase by over 50% compared to 2023.

Organizations Are Paying Ransoms & Breaking ‘Do Not Pay’ Policies

However, despite the majority of respondents saying they were ‘mostly confident’ or had ‘complete confidence’ in their organization’s cyber resilience strategy, only 6% of respondents said their company would not pay a ransom to recover data and restore business processes, or do so faster, with 83% saying they would.³ In fact, 3 in 4 (75%) respondents globally said their company would be willing to pay over US$1 million in ransoms to recover data and restore business processes, and over 1 in 5 (22%) said their company would be willing to pay over US$5 million.

Concerningly, close to 7 in 10 (69%) respondents said their organization had paid a ransom in the last year, before being surveyed, despite 77% saying their company had a ‘do not pay’ policy. The more than 2100 respondents, who have paid a ransom, said they had paid ransoms⁴ in the past year totaling:

• 37% have paid ransom(s) between US$1 - US$249,999
• 23% have paid ransom(s) between US$250,000 - US$499,999
• 23% have paid ransom(s) between US$500,000 - US$999,999
• 12% have paid ransom(s) between US$1,000,000 - US$2,999,999
• 6% have paid ransom(s) between US$3,000,000 - US$9,999,999
• 0.33% (7 respondents) have paid ransom(s) between US$10,000,000 - US$25,000,000

“The reality for organizations is that destructive cyberattacks, like ransomware, are a ‘when’ not ‘if’ reality that threatens their business continuity. However, organizations can tackle this reality head-on by enhancing their cyber resilience - the ability to rapidly respond and recover from cyberattacks or traditional business continuity scenarios - by adopting modern data security, response, and recovery capabilities,” said Brian Spanswick, CISO and CIO, Cohesity. “Organizations may have the greatest confidence in their cyber resilience, both in their strategy and capabilities, but the reality is that the majority are paying ransoms or would pay a ransom, so organizations are overconfident or overestimate their cyber resilience.”

Companies’ Confidence In Cyber Resilience Doesn’t Match Recovery & Restoration Realities

Cyber resilience is the technology backbone for business continuity. Cyber resilience defines companies’ ability to recover their data and restore business processes when they suffer a cyberattack. However, cyber resilience remains a challenge that threatens business continuity, according to respondents:

• Only 2% of respondents said they could recover data & restore business processes within 24 hours
• 18% said their company could recover data and restore business processes within 1-3 days
• 32% said they could recover and restore in 4 to 6 days, while 31% would need 1-2 weeks
• Almost 1 in 6 (16%) need over three weeks to recover data and restore business processes

Conversely, when asked what their organization’s ‘targeted optimum recovery time objectives (RTO) to minimize business impact in the event of a cyberattack or incident of compromise' was, 98% of respondents said their target was within one day, despite only 2% saying they could recover data and restore business processes within this same period. Almost 1 in 2 (45%) said their targeted optimum RTO was within two hours.

Customers and consumers expect consistent continuity of operations or services, which is why effective cyber resilience is vital. Yet, only 2% said their organizations’ tolerance to disruption of business continuity and downtime due to a cyberattack or data breach was within 24 hours. In fact, 31% of respondents said their business’ tolerance for downtime was between 1-3 days, 53% said up to 4-6 days, and 12% said more than a week. Interestingly, almost 1 in 2 (49%) respondents said they had stress-tested their ‘data security, data management, and data recovery processes or solutions’, by simulating a response to a cyber event or data breach, in the past six months.

Zero Trust Security & Data Privacy Remains A Challenge Despite Enhanced Regulations & Legislation

Over half (54%) of respondents said their ‘centralized visibility’ of critical data between IT & Security could be improved to detect anomalies and determine sensitive data exposure or breaches. When asked about their data access control measures to align with zero trust security principles, barely more than half of companies had deployed multi-factor authentication, and less than half had deployed features requiring multiple approvals before changes to data or role-based access controls:

• Multi-factor Authentication (MFA): 52%
• Quorum Controls or Administrative Rules requiring multiple approvals: 49%
• Role-Based Access Control (RBAC): 46%

“The most vital element of cyber resilience is the ability to recover business-critical data that restores key business processes. But you can’t restore critical data if you don’t secure it first from external or internal threats. This starts with deploying effective data access controls like multi-factor authentication (MFA) and role-based access controls (RBAC),” said Brian Spanswick, CISO and CIO, Cohesity. “The fact that almost 1 in 2 organizations are not implementing these controls to protect sensitive data is alarming and demonstrates a significant risk to an organization’s cyber resilience. Especially given that everyday consumers and end-users are often - and rightly - required to have MFA enabled to secure their account credentials, with MFA also an important defense measure against AI-based attack techniques.”

Despite governments and public institutions going to great lengths to encourage more robust cybersecurity, data protection, and data privacy measures, only 42% of respondents said they had all the IT & Security technology capabilities to identify sensitive data and comply with applicable data privacy laws and regulations. Yet, 79% of respondents also said that ‘advanced threat detection, data isolation, and data classification were vital’ to their organization’s qualification for cyber insurance or to secure discounts on their cyber insurance policies.

When asked ‘What, if any, industries and/or sectors do you think are most impacted by cyberattacks?’, respondents selected these as the ‘Top 7’ industries or sectors most impacted⁵:

Globally:

1. IT & Technology - 40%
2. Banking & Wealth Management - 27%
   
   Financial Services (including insurance companies) - 27%
3. Telecommunications & Media (including streaming services) - 24%
4. Government & Public Services - 23%
5. Utilities (including Water, Electricity, Gas, and other energy services companies) - 21%
6. Manufacturing - 21%

AI A Plus & Minus In Managing Escalating Cyber Threats

According to respondents, organizations must now contend with AI-based cyberattacks or cyber threats, with 4 in 5 (80%) respondents saying they had responded to what they believe to be AI-based attacks or threats within the last 12 months. Of those respondents who said: “Yes”, 82% said they had the ‘necessary AI-powered solutions to counter and respond to these attacks.’ Of the 18% who said they had not responded to AI-based cyberattacks or cyber threats in the past year, less than half (49%) said they have the ‘necessary AI-powered solutions to counter and respond to these attacks’, over a third (36%) said they do not, and close to 1 in 7 (15%) said they were unsure.

“Cyber resilience is critical because the incentive and motivation of attackers is so high, with attack surfaces incredibly vast, so a reliance on protective controls is unrealistic,” said Brian Spanswick, CISO and CIO, Cohesity. “Successful cyberattacks and data breaches severely disrupt business continuity, impacting revenue, reputation, and customer trust. This risk must be at the forefront of business leaders’ priorities, not just IT and Security leaders. Similarly, regulation and legislation should not be seen by companies as the ‘ceiling,’ but instead the ‘floor,’ in both developing cyber resilience and adopting data security or recovery capabilities.”

About the survey:

The findings are based on a survey of 3139 IT & Security decision-makers (split as close to 50:50 as possible) commissioned by Cohesity and conducted by Censuswide between 27.06.2024 - 18.07.2024. The top five industries that respondents selected as best representing their company's operations were IT & Telecommunications, Manufacturing, Financial Services (incl. Insurance), Banking & Wealth Management, and Hospitals & Healthcare. Censuswide abides by and employs the Market Research Society members, follows the MRS code of conduct and ESOMAR principles, and is a member of the British Polling Council.

Additional Resources

• Find out about how Cohesity can improve your cyber resilience and data security.
• Get the news in the Cohesity newsroom & read Cohesity blogs.
• Follow Cohesity on X (formerly Twitter), Facebook, and LinkedIn.

About Cohesity

Cohesity is a leader in AI-powered data security and management. Aided by an extensive ecosystem of partners, Cohesity makes it easier to secure, protect, manage, and get value from data – across the data center, edge, and cloud. Cohesity helps organizations defend against cybersecurity threats with comprehensive data security and management capabilities, including immutable backup snapshots, AI-based threat detection, monitoring for malicious behavior, and rapid recovery at scale. Cohesity solutions can be delivered as a service, self-managed, or provided by a Cohesity-powered partner. Cohesity is headquartered in San Jose, CA, and is trusted by the world’s largest enterprises, including 47 of the Fortune 100.

_______________________________

¹ Respondents were polled in: Australia, France, Germany, Japan, Malaysia, Singapore, the United Kingdom, and the United States.

² Respondents were provided with the NIST definition of cyber resiliency at the start of the survey: “The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. Cyber resiliency is intended to enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment.”

³ 11% said ‘maybe, depending on the ransom amount.’

⁴ Respondents were asked to select the ransom amount they had paid with the last year, or if they had paid multiple ransoms to select the total amount of the ransoms they had paid.

⁵ Respondents were asked to select their ‘Top 7’. This is why the percentage figures total over 100% for this data set.

View source version on businesswire.com: https://www.businesswire.com/news/home/20240815400085/en/

“Organizations may have the greatest confidence in their cyber resilience ... but the reality is that the majority are paying ransoms or would pay a ransom, so organizations are overconfident or overestimate their cyber resilience." @cohesity