Experiencing ransomware significantly impacts cybersecurity approach
Organisations are never the same after being hit by ransomware, according to Sophos global survey.
In fact, the confidence of IT managers and approach to battling cyber attacks is very different between those who've been impacted by ransomware and those who have not, the study shows.
In fact, the survey by Sophos, Cybersecurity: The Human Challenge, reveals that IT managers at organisations hit by ransomware are nearly three times as likely to feel significantly behind when it comes to understanding cyber threats, compared to their peers in organisations that were unaffected (17% versus 6%).
More than one third (35%) of ransomware victims said that recruiting and retaining skilled IT security professionals was their single biggest challenge when it comes to cybersecurity, compared with 19% of those who hadn't been hit.
When it comes to security focus, the survey found that ransomware victims spend proportionally less time on threat prevention (42.6%) and more time on response (27%) compared to those who haven't been hit (49% and 22% respectively), diverting resources towards dealing with incidents rather than stopping them in the first place.
Sophos principal research scientist Chester Wisniewski says, “The difference in resource priorities could indicate that ransomware victims have more incidents to deal with overall.
"However, it could equally indicate that they are more alert to the complex, multi-stage nature of advanced attacks and therefore put greater resource into detecting and responding to the tell-tale signs that an attack is imminent.”
The fact that ransomware attackers continue to evolve their tactics, techniques and procedures (TTPs) contributes to pressure on IT security teams, as evidenced by SophosLabs Uncuts article, Inside a New Ryuk Ransomware Attack, the company states.
The article deconstructs a recent attack involving Ryuk ransomware. Sophos incident responders found that the Ryuk attackers used updated versions of widely available and legitimate tools to compromise a targeted network and deploy ransomware.
The attack progressed at great speed within three and a half hours of an employee opening a malicious phishing email attachment, the attackers were already actively conducting network reconnaissance.
Within 24 hours, the attackers had access to a domain controller and were preparing to launch Ryuk.
Wisniewski says, “Our investigation of the recent Ryuk ransomware attack highlights what defenders are up against. IT security teams need to be on full alert 24 hours a day, seven days a week and have a full grasp of the latest threat intelligence on attacker tools and behaviors."
He says, "The survey findings illustrate clearly the impact of these near-impossible demands. Among other things, those hit by ransomware were found to have severely undermined confidence in their own cyber threat awareness.
"However, their ransomware experiences also appear to have given them a greater appreciation of the importance of skilled cybersecurity professionals, as well as a sense of urgency about introducing human-led threat hunting to better understand and identify the latest attacker behavior.
"Whatever the reasons, it is clear that when it comes to security, an organisation is never the same again after being hit by ransomware.”