Ransomware preparedness: The long road ahead

Is your organization ready for ransomware? A recent survey shows that businesses in a variety of industries are all struggling with ransomware prevention and recovery.

Niels Bohr, the famous Nobel Prize laureate in Physics, once said, "Prediction is very difficult, especially if it's about the future." This was before the seemingly unstoppable growth of data and data sources -- and the ingenuity of cybercriminals trying to get to it or prevent you from using it.

Here's a prediction you can take to your crypto-bank: There will be more data and more ransomware attacks in the future. Today, I will focus on ransomware preparedness.

The threat of ransomware needs no introduction. That threat keeps IT and business executives up at night. Despite this constant feeling of imminent danger, it is surprising to see that few organizations actually feel or are prepared for an attack. It may be because of the amorphous nature of cyber threats -- you never know where it's going to come from or what it will look like.

IT complexity, IT and organizational silos, and the lack of skill sets may all be contributors to this situation. At TechTarget's Enterprise Strategy Group (ESG), there isn't what we would call a holistic "blueprint" or "reference architecture" that delineates how to build effective strategies for ransomware protection.

Many organizations -- maybe yours -- are building their own approaches and processes to improve their ransomware preparedness posture. But is it working? After all, many different security and data protection tools have built-in ransomware protection. Yet, successful attacks keep happening. Where are the challenges and shortcomings, and what does the overall market preparedness look like?

Survey says IT pros aren't prepared

In order to get more visibility into these many facets, ESG conducted an in-depth survey, "The Long Road Ahead to Ransomware Preparedness." The June 2022 survey included 620 IT and cybersecurity professionals involved with the technology and processes associated with protecting against ransomware.

Survey participants represented midmarket (100 to 999 employees) and enterprise-class (1,000 employees or more) organizations in North America (United States and Canada) and Western Europe (U.K., France and Germany). Survey participants represented a wide range of industries, including manufacturing, financial services, retail and technology, among others.

Our approach was to loosely follow the well-established NIST model, which is designed for organizing, planning and building an integrated set of information and information technology architectures. We closely looked at readiness, prevention, response, recovery and business continuity dimensions and scored the responses of our respondents to develop a grade and segment the market in preparedness levels. 

ESG employed a points-based scoring system, with increasing point values being awarded for behaviors and attributes more in line with a robust and multifaceted ransomware preparedness strategy.

Overall, results showed that the market's preparedness is average and significantly under par in certain key areas, suggesting that the ransomware battle will take a long time. 

Zooming in on a few data points, our findings highlighted that most organizations report having experienced a ransomware attack within the last year. Only one in seven reported getting all data back after paying a ransom.

Readiness is poor overall, except for the most advanced organizations better prepared with processes, staff and technologies. We uncovered significant gaps, yet teams are working together and supporting the budget: IT, security and data protection are key contributors.

Ransomware recovery still lacking

Historical investments in prevention and response have paid off overall, especially for the most advanced organizations. We saw that, historically, most organizations prioritized investments in prevention programs and technology, but nearly half of organizations said they believe they have gaps in their vulnerability management programs. The best-prepared organizations got an almost perfect score in this dimension. Skill shortages are a key challenge when looking at the response space, with many organizations depending too much on internal resources. Most organizations heavily use detection and response platforms and services from the endpoint out to the network.

The ability to recover from an attack is sorely lacking overall, leaving even the most prepared vulnerable.

However, the ability to recover from an attack is sorely lacking overall, leaving even the most prepared vulnerable. Recovery is the troubled child, as highlighted before: It is not a guarantee! In this area, our research showed that backup is the most commonly used technology. Key capabilities organizations are looking for include data encryption, SaaS data protection, endpoint device protection and the ability to recover to any point or location. It should also be noted that air gapping is fundamental to a ransomware recovery strategy, yet less than one-third of organizations surveyed had deployed air gaps.

Business continuity capabilities, which need to be adjusted to this new normal, set the most advanced apart. Recovery point objective and recovery time objective vary widely depending on the maturity of the organization: The more mature do better in both areas, but recoverability scores are unacceptably low, even for the best. It may be because organizations do not protect their mission-critical applications enough.

As an IT professional, you can see why we called this report "The Long Road Ahead to Ransomware Preparedness." It's going to take teamwork across the whole organization and the vendor ecosystem to improve and harden your capabilities -- and it's going to take some time! The good news is that it can be done. Some organizations are better than others, and that's why they're the "leaders" in our research and can provide a blueprint for success. You also need to evaluate the ecosystem of vendors to use: They, too, have to play nice with each other.

In time, we expect to see a strong focus on integrations, APIs and product portfolio expansions, blurring the line between cybersecurity, data management and data protection. Stay tuned for more research and blogs on the topic.

ESG is a division of TechTarget.

Next Steps

5 questions to ask when creating a ransomware recovery plan

Dig Deeper on Disaster recovery planning and management