The results showed there is growing apprehension over ransomware, rising to 79% from 73% of those who are very or extremely concerned about it. There was a huge jump in companies hit directly by ransomware at 38% in 2016 compared to 20% in 2014. Midsize companies of 250 - 1,000 employees were the hardest hit at 54%.
Additional highlights of the study:
- 61% feel email attachments pose the largest threat compared to 47% in 2014.
- Companies with 1,000+ employees have been hit by ransomware 41% and below 250 employees at 35%.
- 89 % consider Security Awareness Training the most effective protection from ransomware, immediately followed by backup 83%, almost identical to 2014.
- Only 19 % feel their current solutions are very effective, while 70% feel they are somewhat effective.
- Confidence in email and spam-filtering effectiveness is 72%.
- The study asked when confronted with a scenario where backups have failed and weeks of work might be lost, 42% would begin with paying the $500 ransom and hope for the best vs. 57% in 2014.
“We thought it would be interesting to see the level of impact that ransomware has had over the last few years. The threat of ransomware is very real and IT professionals are increasingly realizing traditional solutions are failing,” says KnowBe4 CEO Stu Sjouwerman. “IT pros agree that end-user Security Awareness Training is one of the most effective security practices to combat these ransomware threats.”
Surprisingly, only 40% would rely on backup to solve the situation. However, faced with the potential scenario of several weeks of failed backups, nearly half say they would be forced to pay the ransom. This can have a grave impact on organizations as backups fail 50-66% of the time, according to the method used (tape vs. The Cloud).
Sjouwerman adds, “Our study shows corporate awareness of phishing attack vectors has increased but users need more help as techniques evolve and criminal exploits become more sophisticated. The overwhelming majority of IT pros think the criminals behind ransomware should be prosecuted and sent to jail for a long time. Unfortunately, US law enforcement has no jurisdiction in Eastern Europe where these criminals are largely free to commit their crimes, and we have to rely on our own ingenuity to recognize these threats.”
According to the report, 41% of employees still receive no security awareness training, and the programs that do exist have varying effectiveness. KnowBe4 recommends frequent simulated phishing attacks to keep employees aware and on their toes.
More info: www.KnowBe4.com