Research from Egress on Wednesday found that only 23% of board members consider ransomware their top priority.
The software company said it’s a major concern because according to the survey, 59% of organizations fell victim to ransomware and a staggering 84% of organizations were victims of phishing, even though 98% of companies offer anti-phishing training to the staff.
“Cybercriminals continue to leverage sophisticated social engineering attempts to catch users at a weak moment and gain access to the sensitive data they’re seeking," said Jack Chapman, vice president of threat research at Egress. “The results of this study show that cybersecurity training is limited in its effectiveness and it’s a big ask for people within an organization to be constantly vigilant to phishing threats”
It's incredibly concerning that only 23% of board members see ransomware as a major threat to their organizations, said Hank Schless, senior manager, security solutions at Lookout. Schless said this might happen because board members think about these events in terms of what can have the most impact on the business. However, a successful ransomware attack can be detrimental to the existence of any organization.
“Everyone needs to understand the connection between security and business continuity,” Schless said. “Today, when entire organizations run on cloud-based infrastructure, everything about the business relies on having secure systems. The commercialization of ransomware and the emergence of the Ransomware-as-a-Service market have made these attacks much more viable for less sophisticated hackers. This will only increase the number of ransomware attacks organizations face.”
John Bambenek, principal threat hunter at Netenrich, said business leaders are in business to make money and they view security as a cost center, ironically even for security companies.
“Part of this number is complacence,” Bambenek said. “Like car insurance, no one thinks accidents will happen to them until they do. Part of it is the idea that cyber insurance will simply cover the losses. The biggest reason is everyone knows we haven’t solved ransomware — and to an extent can’t — so it’s just the cost of doing business.”
Nasser Fattah, North America steering committee chair at Shared Assessments, added that when he sees that board members are not seeing a known threat like ransomware as a top priority, then we have an opportunity to convey — in business terms — to board members the impact in terms of revenue, customers, and brand, that ransomware can have on an organization.
“If customers are dependent on a supplier and that supplier cannot deliver due to ransomware, customers will look for other suppliers because they have a business to run,” Fattah said. “This can present not only immediate revenue loss, but also future revenue loss due to customer churn. Thus, I am giving board members the benefit of the doubt that ransomware impact has not been explained to them in a manner that’s best understood and appreciated.”
Chris Olson, CEO of The Media Trust, added that from an organizational perspective, entrenched complacency has become the greatest barrier we encounter to cyber preparedness, especially where emerging threats are concerned. Olson said despite years of escalating ransomware and phishing attacks, many investors and executives believe that their companies are invulnerable until it is too late.
“This is especially concerning when traditional attack channels are replaced by new ones — for instance, phishing scammers are increasingly relying on digital channels like the web and mobile devices over traditional channels like email,” Olson said. “At the same time, both are becoming exponentially more dangerous as political tensions increase state-sponsored cyber activity around the world.”