A third of global businesses would pay hacker ransom demands

05 June 2018 | Natalie Bannerman


One third of global business decision makers say their organisations would pay a ransom demand from a hacker rather than invest in information security.

The findings come from 2018 Risk: Value Report by NTT Security, who found that the trend is because company’s want to cut the costs associated with investing in robust information security.

“We’re seeing almost unprecedented levels of confidence among our respondents to this year’s report, with almost half claiming they have never experienced a data breach, said Kai Grunwitz, senior VP of EMEA at NTT Security. “Some might call it naivety and perhaps suggests that many decision makers within organisations are simply not close enough to the action and are looking at one of the most serious issues within business today with an idealistic rather than realistic view.”

According to the report in the UK this figure sit around 21%, and a further 30% of businesses in the UK are not sure if they would pay the ransom or not indicating that only approximately half are prepared to proactively invest in security.

There also seems to a distorted perception of confidence among UK respondents. 41% claim that their organisation has not been affected by a data breach compared to the 47% worldwide. Conversely 10% expect to suffer a breach, 31% do not expect to suffer a breach at all and interestingly 22% say that are not sure if they have suffered a breach or not.

“This is reinforced by that worrying statistic that more than a third globally would rather pay a ransom demand than invest in their cybersecurity, especially given the big hike in ransomware detections and headline-grabbing incidents like WannaCry. While it’s encouraging that many organisations are prepared to take a long-term, proactive stance, there are still signs that many are still prepared to take a short-term, reactive approach to security in order to drive down costs,” added Grunwitz.

Image and perception came top of the list when asked how a data breach will impact their business most, with almost three quarters 73% concerned about loss of customer confidence and damage to reputation next at 69%. In revenue terms an estimated 9.72% is the predicted loss a company could expect to take  

Earlier this year NTT Security produced its Global Threat Intelligence Report (GTIR) in which it reported that ransomware attacks increased by 350% during 2017 alone, and accounting for 29% of all attacks in EMEA and 7% of malware attacks globally.

As far as organisational responsibility for information security, the results were mixed. 19% of UK respondents said the chief information officer is responsible, compared to 21% for the chief executive officer, 18 % for the chief information security officer and 17% for the IT director.

In terms of preparedness 17.02% of respondents said that their operations departments spent more of its budget on security, 12.94% said they noticed an increase in security spending in their IT departments, compared to the 17.84% and 14.32% in operations and IT worldwide.

77% of UK organisations and 57% globally say they have a security policy in place, while 10% and 26% globally are working on one. 85% of UK respondents with a policy in place say that it is actively communicated, with 30% claiming that their employees are fully aware of it.

“The UK is leading the pack when it comes to planning for a security breach or for non-compliance of information/data security regulations,” continued Kai Grunwitz. “Given that the GDPR has just come into force, this is encouraging. However, while the majority claim their information security and response plans are well communicated internally, it seems it’s only a minority who are ‘fully aware’ of them. This continues to be an area that businesses are failing on time and time again and needs to be addressed as a priority.”