Five misconceptions businesses keep having about ransomware

Today’s columnist, Bipul Sinha of Rubrik, writes that Verizon’s 2022 DBIR research found that last year’s 13% increase in ransomware attacks was higher than the past five years combined. Sinha offers five insights into what companies continue to get wrong about ransomware. (Photo by Andrew Burton/Getty Images)

Statistics about ransomware, the decade’s worst cybersecurity scourge, have become eye-popping.

Last year’s 13% increase in ransomware breaches was higher than the previous five years combined, according to Verizon’s 2022 Data Breach Investigations Report. It has also been estimated that a ransomware attack happens every 11 seconds. And by 2025, the economic impact of ransomware could hit a whopping $10.5 trillion, about half the size of U.S. GDP.

Ransomware – malicious software that prevents users from accessing computer files and systems unless a ransom gets paid for their return – has become one of the hardest types of cyberattacks to recover from, causing costly business disruptions and loss of critical information and data.

And the threat won’t go away anytime soon.

First, the pandemic sparked massive digital acceleration in both our professional and personal lives and expanded the threat surface for the bad guys to exploit. 

Second, the proliferation of cryptocurrencies and ransomware as a service – in which nefarious developers license their ransomware to others for a fee – has made it easier to execute attacks and made ransomware a lucrative criminal business model. Finally, ransomware and data attacks have become the favorite tactics of nation-state actors.

And while ransomware has become a clear and present danger for businesses of all sizes, many companies still lack a deep and nuanced understanding of ransomware, and that could leave them more vulnerable to attack. Here are five common misconceptions to stay away from:

  • Businesses think an attack won’t happen to them.

In today’s environment, ransomware attacks are virtually inevitable. Because attacks often take the form of ever-more devious social engineering tactics – for example, someone in the company gets tricked by a phishing email into clicking on malware – breaches have become more a matter of when than if.

“People remain by far the weakest link in an organization’s cybersecurity defenses,” according to the Verizon report, which said social engineering tactics, along with other human errors and misuse of privilege, accounted for 82% of breaches in the past year.

Businesses are wise to assume an attack will happen and focus on how to keep operating after it does – in other words, emphasize resiliency over prevention.

  • Security teams believe their firewall or antivirus software will stop attacks.

The typical business has dozens of perimeter and infrastructure security solutions – for the network, the applications, the devices, the cloud – yet remains highly vulnerable to cyberattacks. Criminals have proven frighteningly adept at worming their way into supposedly secure systems.

As a result, businesses can’t afford to install only infrastructure security, they must invest in data security as well. Data security has been specifically designed to monitor data risk and, should an attack happen, speed recovery.

Think of the right integrated approach to cyber security as like Mixed Martial Arts fighting. Fighters can’t win with just their hands, the need their arms, elbows, legs, and knees to prevail. 

  • Top business leaders believe paying the ransom will make the problem go away.

While victims are often tempted to give in to the demands of the attackers, paying the ransom may signal to the bad guys that the victim is willing to part with money or that it has cyber insurance and doesn’t care. Companies may think the attack is a one-and-done situation, but the perpetrators may just wait six months and hit the business again.

“The FBI does not support paying a ransom in response to a ransomware attack,” said an agency advisory. “Paying a ransom doesn't guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”

  • IT teams think deploying a simple data backup system is enough.

Traditional data backup systems were designed for natural disasters and operational errors. But protecting data against ransomware attacks is different – the data being backed up could still contain traces of the malware and becomes reinfected when put back into operation.

To avoid a “Groundhog Day” effect and tackle this sophisticated new breed of cyber attacker, businesses need a data security product that goes way beyond what legacy backup and recovery offerings have promised.

  • The entire company lets the small stuff slide.

Most of the big problems in cybersecurity are caused by tiny mistakes. The company allowed passwords that were easily guessable or failed to apply a patch at the right time or didn’t implement two-factor authentication.

Paying attention to basic security hygiene – such as requiring difficult passwords and making sure they expire, securing and encrypting laptops, and using zero-trust techniques like two-factor authentication – can go a long way toward shoring up companies’ defenses. It pays to sweat the small stuff.

By weeding out these five myths when addressing their cyber security needs, companies can avoid costly mistakes. As ransomware grows more pernicious, misconceptions about this unique threat can cost the business a lot of money – or even sink the company.

Bipul Sinha, co-founder and CEO, Rubrik

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.