Most UK firms pay ransomware demands, despite ‘do not pay’ policies

Most "do not pay" ransomware policies in the UK aren't worth the paper they're written on, according to a new report.

While 94% of UK organizations have a policy not to pay out in the event of a ransomware attack, 97% of those that have fallen victim in the past two years have paid out a ransom.

The research, from data security and management firm Cohesity, polled over 900 IT and security leaders in the UK, US and Australia. It found that three quarters of respondents said their company would be willing to pay over £2.4 million to recover data and restore business processes, with four in ten saying the figure would be more than £4 million. 

"Many organizations said they would pay a ransom to reduce disruption. Paying the ransom almost certainly results in a loss of some of the data," said James Blake, Cohesity's global head of cyber resiliency GTM strategy. 

"Not to mention we’ve seen the UK sanction ransomware operators; the last thing senior management need after dealing with a ransomware attack is the prospect of a huge fine or custodial sentence for breaching sanctions."

More than eight in ten (83%) respondents said they'd fallen victim to a cyber attack in the second half of last year and 95% believe that the threat of cyberattacks to their industry will increase this year, with seven in ten predicting it will increase by more than 50%. 

Respondents are also pessimistic about their ability to deal with incidents, with only a quarter having full confidence in their company’s cyber resilience strategy and its ability to address today’s challenges and threats.

Everyone said they needed more than 24 hours to recover data and restore business processes, with only one in ten saying their company could recover data and restore business processes within three days.

A third (34%) said they would need one to two weeks to recover, and almost a quarter (24%) said they would need more than three weeks to recover data and restore business processes.

"The figures in the survey show huge deficiencies in an organization’s ability to achieve the required recovery times to avoid significant disruption," said Blake.

Respondents were keen to see improvements in executive awareness and responsibility for data security, with only three in ten saying their senior and executive management fully understands the "serious risks and daily challenges of protecting, securing, managing, backing up, and recovering data". 

Four in five said executive management and boards should share the responsibility for their company’s data security strategy, while 64% said their company’s CIO and CISO, in particular, could be better aligned.

In terms of the effects of a successful data breach or cyberattack, the biggest concerns were brand and reputational damage, long-term operational outcomes and projects, a direct hit to revenue, and a loss of stakeholder trust, all cited by around a third. 

"Cyber resilience and data security should be a holistic organizational priority because the use of data and technology occurs in every function by every employee," said Cohesity CEO and president Sanjay Poonen.

"The severe impact of a successful cyberattack or data breach on business continuity, revenue, brand reputation, and trust is enough to keep all business, IT, and Security leaders awake at night."