Every year we survey visitors to our booth at Black Hat about trending topics. This year, we asked about ransomware and the ever-increasing complexity of our cybersecurity environment. The results are very interesting - things may be getting much better, or we may all be collectively in denial. Let's break it down.
We surveyed 145 IT security professionals. First, we wanted to check in with the industry on their experiences with ransomware. We started by asking how many have been the victim of a ransomware attack - it turns out nearly 17% had been. Sadly, this fairly large number didn't come as much of a surprise to us given the headlines we have seen in the media recently.
Of course, one of the most difficult decisions anyone will make in their IT security career is "should I pay to get my data back". If ransomware has caught you off guard, your job or even the future of your company may be at stake. While rewarding criminal behavior may be a bad idea, when the stakes are high it can be difficult to take the high road. However, almost 58% of our respondents say they would.
This led to another question. Should it be illegal to pay the ransom? After all, if we allow ransomware criminals to achieve their goal, how will we ever stop them, and how will we incentivize companies to properly prepare themselves to thwart them? People were split on this question, with about 40% saying it should be illegal, and 60% saying that it should not be. Given this result, we probably won't see the IT community lobbying for new legislation in this area.
The most surprising result came when we asked if IT security professionals were ready for a ransomware attack. In case you're new to security, the only chance you have to mitigate ransomware is to have a solid security program that closes down all the vectors you can with protection tools, and it is almost impossible for these controls to be 100% effective. The only way to recover from ransomware is to have complete backups of your systems, wipe them clean, and start over. Expert tip: make sure the backups aren't stored on your network where they can be encrypted with the rest of your data.
Surprisingly, a full 69% of our survey respondents claim that they are prepared for a ransomware attack. This is wonderful news. It's also pretty surprising, given everything we see in the press these days:
- More than 40 municipalities have been the victims of cyberattacks this year (NY Times 8/22/19)
- A total of 850.97 million ransomware infections were detected by the institute in 2018 (Ponemon Institute)
- Ransomware attacks on businesses have increased in the first quarter of 2019, up 195% percent since the fourth quarter of 2018 (Malwarebytes)
Only time will tell if our respondents are as prepared as they feel. We hope everyone is double checking their backups in the meantime.
Switching gears, we also wanted to understand how security buyers are feeling about their security programs and their ever-increasing complexity. We're all aware of the constant innovation in security technology - every new IT innovation and new attack vector seems to bring another set of mandatory prevention controls. But the old controls (endpoint, for example) never seem to go away.
This proliferation of products came across clearly in our responses, with over 30% reporting they use at least 20 products. Industry research also indicates that enterprises can have over 75 security products to manage.
If there's a silver lining in this complexity, it's that 69% of respondents believe they have their security regime under control, with only 29% saying they are overwhelmed by the complexity of their environment.
One question in particular shines a light on a major challenge for security buyers and vendors alike - siloed security products and complex solutions. When we asked "Does inconsistent or incomplete integration of security solutions make your organization more vulnerable?" a full 60% say that it does. This isn't surprising given the number of security products in use. How can we know that we are following best practices for all of them? And, how can we utilize that investment to better detect and respond to threats? Does your endpoint protection product cooperate with your cloud security product to detect threats? Can your detection and response product reconfigure the firewall or endpoint to mitigate a threat? This is the next step we must take to maximize our chances of stopping attacks, and it is a major focus for AT&T Cybersecurity and our many security service providers.
Lastly, we wanted to know what keeps IT security professionals up at night. While "Nation State Actors" was the leader, results were all over the board. Clearly, we have a lot on our minds. Which makes sense, doesn't it?