Businesses are challenged to mitigate a growing danger from ransomware, which has become one of the world's biggest cyber-security threats.
This discovery comes from a new report called "State of Ransomware" (registration required) published by Malwarebytes. The anti-malware software vendor partnered with Osterman Research to learn more about the severity of the ransomware risk.
Their survey measured the frequency of cyber-security attacks, how attacks work within the enterprise, infiltration points, ransom cost, impact, and company preparedness, among other factors.
[Read: Companies lack the policies and knowledge for data theft prevention.]
Survey responses came from 540 CIOs, CISOs, and IT directors and managers knowledgeable about security. Participants represented companies with an average of 5,400 employees across the US, Canada, Germany, and the UK.
Results revealed nearly 80% of organizations surveyed have been the victim of a cyberattack, and 47% have been the target of a ransomware attack over the past 12 months. Of the enterprises targeted by ransomware, 34% lost revenue and 20% had to cease operations immediately.
"Over the last four years, ransomware has evolved into one of the biggest cyber security threats in the wild, with instances of ransomware in exploit kits increasing 259 percent in the last five months alone," wrote Nathan Scott, a ransomware expert and Malwarebytes' senior security researcher, in a statement.
It's a problem costing some businesses a lot of money. Nearly one-third of ransomware victims have received demands of $500 or less, an amount typically related to a spam-type of attack. Nearly 20% of victims have received demands exceeding $10,000, which is usually the sign of a more targeted attack.
However, not all businesses pay the ransom. On average, 37% of organizations surveyed said they pay the demanded ransom following an attack. Businesses in the US were far less likely to pay after being infected with ransomware, according to the report.
The most highly targeted companies of ransomware attacks are those in healthcare and financial services, which the report noted "comes as no surprise." Businesses in both industries heavily rely on access to business-critical information. As a result, they are top targets for cyber-criminals producing ransomware.
Businesses within the US have demonstrated commitment to addressing the ransomware threat. More than half consider investments in tech-based solutions and end-user ransomware education to be "high" or "very high" priority, according to survey respondents.
This is significant because the study found US businesses offer less ransomware-related training than businesses in other countries -- despite the fact that organizations in US experience higher levels of security-related attacks and "a significant level" of ransomware attacks.
The increased risk of ransomware arrives at a time when IT managers are struggling to hire employees with the right skills to defend corporate networks. A global lack of cyber-security talent is leaving businesses around the world vulnerable to attacks.
A report titled "Hacking the Skills Shortage," published by Intel Security, indicates the skill shortage is posing a danger to organizations. The majority of survey respondents (82%) report a lack of cyber-security skills, which has led to reputational damage and loss of proprietary data via cyberattack.