Responding to the ransomware threat
It’s impossible to ignore the threat from ransomware attacks. Criminal groups are becoming more brazen, operating freely from nation states willing to turn a blind eye, if not offering tacit support. But as cyber threats evolve and ransomware attacks increase, are organisations taking the right actions to build long-term resilience?
To find out, we surveyed more than 3,000 business and technology executives around the world, including 257 in the UK. Our research highlights key challenges and reveals how organisations will seek to improve their cyber resilience in 2022.
There has been an increased intensity in ransomware attacks in 2021 – by September our threat intelligence team had already tracked more ransomware incidents globally than in the whole of 2020. Prominent attacks include Kia Motors being breached by the DoppelPaymer group and Acer falling victim to the REvil ransomware group. The temporary closure of the Colonial Pipeline on the US east coast hints at a concerning escalation if hackers now see critical infrastructure as fair game.
Our survey found that UK organisations are aware of the ransomware threat as well as the motivation behind these attacks. Almost two-thirds of respondents (61%) expect to see an increase in reportable ransomware incidents in 2022. To understand how to rapidly improve your cyber security and reduce the risk of a successful attack, read our whitepaper on responding to the threat of human-operated ransomware.
Expectations of an increase in ransomware attacks reflects concern about a broader increase in cyber threats, including attacks on cloud services (64%), malware via software updates (63%) and supply chain attacks (63%). A similar number (66%) expect to see the threat from cyber criminals increase over the next 12 months. In comparison, 56% believe the threat from existing employees will increase.
Gina McIntyre, CEO of the North/South Implementation Body the Special EU Programmes Body (SEUPB) shares her tips following a malicious cyber attack.
Watch her short video or register to view the full PwC webcast on how CEOs can make a difference to your organisation’s cyber security.
The increasing risk from all types of threat actors emphasises the need for organisations to build a strong security culture alongside their technical defences, particularly as human error is still a factor in a majority of cyber incidents.
Our research shows that UK organisations are confident they are improving their security culture across a number of criteria. For example, 80% said they had made moderate or significant progress in increasing their CEO's engagement in cyber security matters, while 77% said the same of their efforts to reduce the rate that employees clicked on phishing tests.
Despite this confidence, organisations can’t afford to become complacent, particularly with the long-term shift to hybrid working and the cyber security risks inherent in employees working from home. As new working practices are embedded, it’s an opportunity to educate people and raise awareness about security tools and processes. Hybrid working systems and controls should be designed to ensure work efficiently and securely, without having to find work around or shortcuts that create additional vulnerabilities.
Almost two-thirds of UK organisations (63%) are increasing their cyber security budgets in 2022 compared to 56% in last year’s survey. A quarter of organisations (24%) plan to increase their spend by 10% or more. The evolving threat landscape and the increase in high-profile ransomware attacks will undoubtedly play a role here, but there are other factors at play.
Following the pandemic, organisations have invested in transforming their business models and working practices. Our 24th Annual CEO Survey found that more than three quarters (77%) of UK CEOs planned to increase their investment in digital transformation in 2021. To fully realise the subsequent benefits in operational agility and flexibility, organisations recognise the need to also embed greater resilience through improved cyber security.
As cyber security budgets increase, organisations are faced with the challenge of ensuring they get the best return on their investment. Our research found that few organisations are confident they are reaping the rewards from increased spending. For example, while 37% of UK respondents said they had implemented cloud security at scale, just 18% are fully realising the benefits of their investment. The remainder either weren’t investing in this area or hadn’t yet implemented it at scale.
To overcome this challenge and build greater confidence in their security investments, organisations must improve their cyber risk modelling and quantification.
Businesses that are more advanced in this area are able to benchmark the strength of their security capabilities, before using threat intelligence data to model how they might be vulnerable to cyber attacks. Data from historical cyber incidents can then be used to understand the potential impact in terms of data losses, operational disruption and financial penalties.
By building this type of analysis into continuous risk monitoring, organisations can begin to articulate cyber risk in financial terms. This ensures increases in cyber budgets are allocated to priority risks and help build long-term resilience.
“As well as building strong cyber defences, organisations need to prepare their response in the event they fall victim to a ransomware attack. It’s critical everyone understands their role and the steps the organisation will take as it recovers from the attack. Ideally senior leaders should rehearse this scenario so they can respond quickly and confidently to a cyber crisis.”
For some businesses, greater investment in cyber security may only be a sticking plaster on a bigger strategic issue. The organisation may be too complex to properly secure. Often this complexity has happened gradually over time, either as a by-product of growth, mergers and acquisitions, or the adoption of new technologies that were messily bolted onto legacy systems.
In our survey, more than three-quarters (86%) of UK respondents said that complexity in their organisation was creating concerning levels of risk. This concern was primarily caused by complex multi-vendor environments (e.g. cloud, technology solutions, technology interoperability) and data infrastructure.
However, simplifying an organisation's structure and operations is a complex challenge in itself. This causes inertia, as boards put off making a decision on transformation or struggle to generate any urgency, even though businesses are aware that complexity creates vulnerabilities that can be exploited by ransomware groups and other threat actors.
Asked to name the top consequences of operational complexity, our respondents cited:
Many organisations don’t know where to begin with streamlining their structures and processes, particularly as attackers continue to target businesses on all fronts. In a previous article, we emphasised that simplification of company IT often requires more than minor rewiring of systems and instead may demand more fundamental change. There are three key strategic areas that require attention to build long-term cyber resilience: business models, external partners and internal systems.
Our survey indicates that UK businesses are taking steps in the right direction. More than a third (37%) have consolidated their technology vendors while 36% have rationalised their technologies, including decommissioning legacy technologies. Some 40% have streamlined operations by reorganising functions and ways of working.
These fundamental changes to IT systems are essential to maintain cyber resilience in the long-term. And while it requires sustained energy and investment from business leaders, the benefits will be felt beyond cyber security. Simplification of systems and structures makes an organisation more able to adapt to challenges and risks, meaning the board can confidently pursue new opportunities for growth.
“CEOs and boards need to make simplification of their IT estate a strategic priority. They must champion it among their management team and set targets to drive action. Those who are willing to step up and lead from the front will be able to rapidly reduce cyber risk and create more resilient, securable organisations.”