Ransomware, Malware, Phishing Top List of IT Security Concerns
Malware, ransomware and phishing continue to plague global organizations, according to the Thales 2022 Global Data Threat Report.
The survey of more than 2,700 executives with influence over IT and data security found one in five (21%) have experienced a ransomware attack in the last year.
The study, which was based on a global 451 Research survey fielded in January 2022 and commissioned by Thales, also found that data breaches remain high, with nearly a third of respondents having experienced a data breach in the last 12 months.
While the vast majority (79%) of businesses remain concerned about the security risks of an increasingly remote workforce, the study revealed less than half of businesses (48%) have a formal ransomware plan.
The survey indicated ransomware’s severity, frequency and impact altered breach economics, as unlike other “low and slow” data breaches that occur over days and months, ransomware immediately takes data captive and demands quick action.
Nearly a quarter (23%) of enterprises surveyed said hard financial losses from penalties, fines and legal expenses have been or would be the greatest impact from ransomware. Lost productivity, recovery costs and breach notification lagged behind, while softer, long-term costs such as brand reputation and customer loss were even less of a concern.
Paying the Price for Ransomware
More than one in five (22%) of respondents worldwide said they have paid or would pay a ransom for their data. Within the U.S., 24% of respondents said they have paid or would pay.
“Enterprises may not have a good understanding of the effects of all the parties involved, such as cyberinsurance underwriters, incident response firms, government regulations and ransomware attribution,” the report noted.
Thales’ EMEA technical director Chris Harris explained that part of the challenge for organizations is there’s no single product or solution that they can implement which will provide them holistic protection.
“Defense against malware and ransomware has to be defense-in-depth and encompass more than ten separate approaches including antivirus, phishing awareness and data encryption,” he said. “It’s likely that most organizations have some elements of protection in place, but maintaining a solid wall of protection requires investment and focused attention on the problem at hand.
Harris said too few organizations implement what experts would consider a complete collection of preventative and defensive measures.
“One of the biggest vectors for ransomware is human error; the employee that clicks a phishing link or the team member who doesn’t question a malicious instruction which they believe to be genuine,” he added. “The best protection against these attacks is preparedness; frequent cybersecurity crisis simulation exercises and a strong awareness campaign to their users.”
Harris explained that, with these in place, organizations will be better placed to identify gaps in their layers of protection and take early corrective action.
Tim Wade, deputy CTO at Vectra AI, explained that organizations lack reasonable ransomware strategies because of a misalignment between expectations and reality.
“Many organizations haven’t internalized that the ‘ware’ in modern ransomware is a misnomer—modern ransomware has much more to do with a motivated human operator than it does with an instance of malware,” he said. “By the time a malware solution can provide any benefit, it may be much, much too late.”
Meanwhile, a human operator that’s sufficiently motivated will take the time to destroy backups, spare capacity or system redundancy.
“Organizations that want to have a plan for ransomware need to have a plan for detecting and evicting malicious human operators; they need to understand that everyone is minimally a target of opportunity regardless of size, vertical or region,” Wade said.
Managing Data Protection in the Cloud
In addition, the survey found the majority (51%) of IT leaders agreed it is more complex to manage privacy and data protection regulations in a cloud environment.
Data visibility was also seen as a major challenge, with slightly more than half (56%) of IT leaders feeling very confident or in full possession of knowledge regarding where their data was being stored—down from 64% the previous year. Only a quarter of respondents said they were able to classify all their data.
Even as they face an expanding attack surface, organizations are deploying even more SaaS technologies as cloud consumption continued to grow at the same rapid rates as last year.
The report found 34% of respondents said they used more than 50 SaaS apps and more than 16% said they used more than 100 SaaS apps.
Some progress has been made in cloud security, as 22% of respondents said more than 60% of their sensitive cloud data is encrypted, up from 17% in the 2021 study.
Harris said for an organization to decide which levels of protection and controls to use, it must first be able to discover data wherever it resides and classify it.
This means scanning all on-premises and cloud repositories for structured and unstructured data, which can be in many forms, including files, databases and big data.
“The journey to compliance starts with finding sensitive data before auditors or hackers,” he noted. “Once an organization knows where its sensitive data is, it should protect that data with measures such as encryption.”
For encryption to successfully secure sensitive data, the cryptographic keys themselves must be secured, managed and controlled by the organization. Finally, the organization needs to control access to its data and centralize key management.
“Every data sovereignty or privacy regulation and mandate requires organizations to be able to monitor, detect, control and report on authorized and unauthorized access to data and encryption keys,” Harris said.
