Companies spend over $2m in recovery cost from ransomware attacks – Sophos
Mid-sized financial services organisations worldwide spent more than $2 million on average recovering from a ransomware attack in 2020, according to the latest Sophos survey.
The State of Ransomware Financial Services 2021 shows that the amount in 2020 surpasses the global average of $1.85 million. However, the financial services sector appears the most resilient against ransomware. Victims surveyed in the sector said they were able to restore about 63 percent of their encrypted data from backups. This means that not everyone that paid the ransom got their data back. Just 4 percent of financial services organisations that paid ransom got back all their data, and 33 percent got back half of their data. In other words, paying ransom doesn’t pay off.
The survey also found that 34 percent of the financial services organisations surveyed were hit by ransomware in 2020; 51 percent of the organisations impacted said the attackers succeeded in encrypting their data; only 25 percent paid the ransom demanded to get their encrypted data back. This is the second-lowest payment rate of all industries surveyed. The global average was 32 percent.
John Shier, senior security advisor, Sophos said the financial services have over time enforced strict guidelines which encourage strong defenses.
“Unfortunately, they also mean that a direct hit with ransomware is likely to be very costly for targeted organizations. If you add up the price of regulatory fines, rebuilding IT systems and stabilizing brand reputation, especially if customer data is lost, you can see why the survey found that recovery costs for mid-sized financial services organizations hit by ransomware in 2020 were in excess of $2 million,” Shier said.
The financial services sector is among the most highly regulated industries in the world. The organisations in the sector are meant to adhere to myriad regulations, including Sarbanes Oxley Act (SOX) which requires all financial reports to include an internal controls report. This shows that a company’s financial data are accurate (within 5 percent variance) and adequate controls are in place to safeguard financial data. They also adhere to GDPR and PCI DSS.
These regulations come with pricey penalties for non-compliance and data breaches. Many of these organisations are also required to prepare business continuity and disaster recovery plans to minimise any potential damage from data breaches or operational disruptions stemming from a cyberattack.
The Sophos survey also showed that 8 percent of financial services organisations experienced what is known as ‘extortion’ attacks. This is a situation where data is not encrypted, but stolen and victims are threatened with the online publication of their data unless they pay the ransom.
Shier says backups cannot protect companies against this risk, hence financial services organisations should not rely on them as an anti-extortion defence.
There are companies who believe they won’t ever be attacked because they do not fit the profile of those attackers considered targets. 11 percent of financial organisations surveyed by Sophos said they won’t get hit because they are ‘not a target’.
Shier says this is a dangerous perception because anyone can be a target. The best approach is to assume you will be a target to build your defenses accordingly.
“The financial sector has too much at stake to not set up an in-depth defensive plan to protect, detect and block cyberattackers,” said Shier. “While they should continue to invest in backups and their disaster recovery efforts to minimize the impact of an attack, they should also look to extend their anti-ransomware defenses by combining technology with human-led threat hunting to neutralize today’s advanced human-led cyberattacks.”
The State of Ransomware in Financial Services 2021 survey polled 5,400 IT decision-makers, including 550 in financial services organizations, in 30 countries across Europe, the Americas, Asia-Pacific, and Central Asia, the Middle East, and Africa.