U.S. companies surveyed by Ponemon/CBI spend an average of $6 million a year to mitigate ransomware attacks. Pictured: Fuel holding tanks are seen at Colonial Pipeline's Linden Junction Tank Farm on May 10, 2021, in Woodbridge, N.J. (Photo by Michael M. Santiago/Getty Images)

Financial institutions lack confidence in their security controls, especially since they are spending $170,000 per incident on staffing issues alone related to ransomware attacks, with employees spending an average of 190 hours to handle “containment and remediation activities.”

More generally speaking, companies overall are spending an average of $6 million per year to mitigate the damages of ransomware attacks, according a study released Wednesday from the Ponemon Institute and CBI. Four out of 5 of the companies surveyed for the Ponemon/CBI study say they experienced one or more ransomware attacks recently, with 68% of respondents claiming an attack in the past year. And even more unsettling, nearly half of the companies that had a ransomware incident (45%) say they were forced to “shut down” at least temporarily, in order to get systems back into working order.

“Ransomware incident preparedness and mitigation remains one of the biggest challenges facing organizations regardless of their size, but it doesn’t mean it has to be one of the biggest budget allocations,” said Shaun Bertrand, CSO at CBI, in a prepared release. “Organizations need to gain confidence in their approaches, technologies, personnel and tactics. Part of building that confidence is admitting where there are gaps and collaborating with strong partners to fill those gaps.”

While many financial firms have operated on the belief that having a solid data backup will protect them, 55% of respondents to the Ponemon/CBI survey say they believe a “full and accurate backup is not sufficient with respect to mitigation when experiencing a ransomware attack.”

Furthermore, nearly two-thirds (64%) say they do not assess external third parties and partners' security practices in their security reviews. And only one-third of company executives (33%) say they feel as though their “third parties have the necessary privacy and security practices in place to reduce the risk of a data breach.” (The report was created in partnership with Check Point Software Technologies LTD, and the survey canvassed 659 IT and IT security professionals in small to large-sized companies in the United States.)

Dr. Larry Ponemon, chairman and founder of Ponemon Institute, said in the release: “The cost per incident will continue to increase, and the types of attacks will continue to evolve. What’s most striking is the vast majority of organizations are not doing enough to evaluate the security of their third parties. These findings should be a wakeup call and motivate organizations to evolve their ransomware mitigation playbooks.”