Many firms say they wouldn't pay ransomware if they had to disclose it publicly

(Image credit: Shutterstock)

A majority of IT security pros say they would think twice about paying a ransom demand following a cyber-attack if they had to do so publicly, a new report has found.

Surveying 1,500 IT security decision-makers, Venafi found more than a third (37%) would pay following a ransomware attack. However, more than half (57%) would change their mind if they had to make a public declaration report on the payment. 

There are numerous reasons why the industry feels this way, Venafi notes, but almost a quarter (22%) said paying the ransom is “morally wrong”. In fact, two-thirds (60%) believe this type of threat should be likened to terrorism.

False sense of security

“The fact that most IT security professionals consider terrorism and ransomware to be comparable threats tells you everything you need to know—these attacks are indiscriminate, debilitating and embarrassing,” said Kevin Bocek, vice president ecosystem and threat intelligence at Venafi. 

“Unfortunately, our research shows that while most organizations are extremely concerned about ransomware, they also have a false sense of security about their ability to prevent these devastating attacks. Too many organizations say they rely on traditional security controls like VPNs and vulnerability scanning instead of modern security controls, like code signing, that are built into security and development processes.”

More than three-quarters (77%) of the respondents are confident the tools they have can keep them safe from ransomware. At the same time, two-thirds (67%) of ITDMs from companies with 500+ employees suffered a ransomware attack in the past 12 months, rising to 80% for those with 3,000+ employees.

Finally, the study claims most firms don’t use security controls capable of breaking the ransomware kill chain early in the attack cycle. Even though email phishing is by far the biggest malware distribution channel, just 21% restrict the execution of all macros within Microsoft Office documents. 

Less than a fifth (18%) restrict the use of PowerShell using group policy, while just 28% require all software to be digitally signed by their organization before use.

The study comes as the US Senate attempts to finalize its Ransomware Disclosure Act, a bill that would require companies to report paying any ransom within 48 hours. 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.