IT Brief UK - Technology news for CIOs & IT decision-makers
Story image

85% of UK organisations hit by ransomware in past year

Tue, 30th Jul 2024

New research by Semperis reveals that 85% of UK organisations were hit by ransomware in the past 12 months, with many facing multiple attacks. The study uncovers alarming trends in the frequency, severity, and consequences of ransomware assaults on businesses. Nearly three-quarters of UK companies have paid a ransom more than once, with close to half of those targeted being attacked again within 24 hours. In some cases, 20% of organisations experienced dual or simultaneous ransomware attacks.

The ransomware study was conducted by Semperis in the first half of 2024, surveying nearly 1,000 IT and security professionals across various industries in the US, UK, France, and Germany. The findings indicate severe implications for companies, as 43% of UK organisations that paid a ransom either did not receive decryption keys or were unable to recover their files and assets.

"Considering that there is a 24/7 threat arrayed against today's organisations, you can never say 'I am safe' or take a moment off. The best you can do is to make your environment defensible and then defend it," said Chris Inglis, Strategic Advisor at Semperis and the first US National Cyber Director. "At the centre of this whole discussion is business viability. Attackers are trying to hold that at risk so that they can then convince you to buy them out. If they can achieve a successful attack on identity, then they own privilege, and they can then use that privilege to their benefit."

Semperis' study highlights that 74% of respondents attacked for ransom in the past year have faced multiple attacks, with some falling prey within a week. In the UK, 83% of organisations that experienced an attack were targeted more than once. The financial toll on companies is significant, with 78% of targeted organisations having paid a ransom. In the UK, the figure stands at 73%, with 38% of those companies paying a ransom four times or more.

Despite the repeated payments, the repercussions remain dire. Approximately 35% of victims who paid a ransom did not receive decryption keys or received corrupted keys, a figure that rises to 43% in the UK. Additionally, 49% of respondents needed one to seven days to recover business operations to minimal IT functionality, with 12% requiring more than seven days.

Mickey Bresman, CEO of Semperis, emphasised the necessity for preparedness. "For management and the Board to make an educated decision not to pay ransom, they need to know how long recovery will take and have confidence in the process. That means you must test your plan in as close to a real-world scenario as possible and present it to the Board before an attack occurs. That way, when disaster strikes, decision-makers will be confident in their ability to say no to attackers."

One of the major findings of the study is the lack of comprehensive, dedicated identity protection among organisations. Although 72% of UK respondents indicated having an identity recovery plan, only 32% reported possessing dedicated systems for Active Directory (AD)-specific backup. Without AD-specific, malware-free backups and a tested, cyber-specific recovery plan, recovery from attacks is likely to be prolonged, increasing the likelihood that organisations will resort to paying ransom to restore operations.

The study also noted that the most significant challenge cited by organisations was a lack of support from the Board of Directors. Other concerns included budget constraints, staffing shortages, outdated systems, and compliance with cybersecurity regulations and directives.

Chris Inglis pointed to technology's role in mitigating ransomware threats. "Technology can help us analyse and assess what's happening, moment by moment. It can help us respond more quickly and recover more quickly. But the thing that is most wanting now is a collective realisation that we all have a part to play. That starts with the Board, not with the IT shop. The Board is accountable; the SEC has made that clear. Regulations are increasingly making it clear: cybersecurity is a business issue."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X