2023 Ransomware 
Survey Results

We talk a lot about ransomware attacks within our own organizations—how to prepare for them, what to do when they happen, and the best way to stop the overall threat. While an ever-popular question is “should we pay the ransom?” (which most said they are unlikely to), there are so many other highly impactful aspects to ransomware preparedness and response. We surveyed more than 500 IT and security professionals to look at the impact of ransomware in 2021 and 2022 to begin to answer that question.

In short: The vast majority of respondents appreciate the gravity of the ransomware threat, and know that it’s likely to stay the same, or increase, given that more than one-third of respondents have experienced a ransomware event.

More than 80% of respondents believe that their organization is at the same or higher risk of being a target for a ransomware attack in 2023, as compared with 2021 and 2022, it’s good to see that it is being taken seriously.

More than 80% of respondents believe ransomware is a significant threat to their organizations

And the majority consider executives at their organizations to be somewhat informed to well-informed of the threat it poses.

Respondents identified operations (26%) and their organization’s reputation and customer trust (35%) as the top two areas that would be most negatively impacted by a ransomware attack. The exact cost of reputational damage can be hard to quantify, although BitDefender found that businesses can lose half their customer base after a data breach. And stalled operations will likely mean downtime, which can be extremely costly—in 2020, downtime cost American businesses $20.9 billion USD.

Many expect getting back to business as normal would take hours (29% of respondents), 52% expect it to take days, while others think the length of time would be closer to weeks (14%) or months (3%). Longer disruptions will of course carry bigger costs, but even in the best-case scenario, the downtime and financial impact will be significant.

The good news is that most organizations are aware of the dangers now. Many respondents believe that those in their organization understand the threat or that communicating it is becoming easier.

Since almost everyone, especially corporate decision makers, now “get” ransomware, obtaining corporate approval to purchase solutions should not create the kind of challenges that spending on IT initiatives often involves.

Overall, the majority of respondents rated their company’s level of preparedness for a ransomware attack highly, giving it a score of at least a 7 out of 10.

In addition, nearly 80% of respondents scored their confidence that their data storage strategy is ransomware-proof at a 6 out of 10 or higher. While many respondents believe their backup strategy is moderately to highly ransomware-proof, those that do not should invest in creating a ransomware-resistant backup strategy that will be both reliable and usable in the event of an incident. It’s important to be able to rely on these backups to help reduce downtime and data loss, and get operations back to normal as quickly as possible.

Further, a majority have disaster recovery (DR) or incident response (IR) plans in place.

And 60% say their organization dedicates sufficient resources to implementing security measures and educating those within their organization on them.

But a closer look also exposes areas of concern. Approximately 40% of those with DR and IR plans do not update them regularly, or the plans are undocumented. This could prove risky during an actual ransomware attack, in which there are many different groups from both inside and outside the organization involved, all of whom may have different priorities, needs, and understandings of “what needs to happen.” It’s great that so many respondents have a DR and IR plan, and working to keep them updated and documented as much as possible will further improve their utility if they’re needed. If you do not, consider implementing them, with plans for how and when they should be updated and appropriate documentation.

In the case an attack does occur, only about 56% of respondents have an IR team on retainer (or the ability to respond themselves) and cyber insurance, potentially leaving the other 44% without key aspects of their response squared away ahead of time. Consider whether cyber insurance or outside help will benefit your organization should a ransomware attack occur. Explore whether it makes sense to get an IR team on retainer, outside legal counsel, negotiators—and in the event of an incident, listen to them!

When asked how many hours per month are spent on ransomware preparedness, threat hunting, or incident response, 60% said between 0 and 4 hours. Here, there’s certainly an opportunity for companies to improve their level of preparedness against ransomware attacks. But that often requires buy-in at the highest levels of the organization to ensure resources like time, money, and personnel can be dedicated to the task. Where possible, look to increase the time your organization devotes to IR planning, threat hunting and ransomware preparedness. Consider working through tabletop exercises to walk through how key teams in the organization will work together during the ransomware attack and resulting response. This can involve your IT team, security team, and maybe senior leadership, PR, or HR teams within the organization—basically, anyone who will be involved in the real event should participate in this one.

While 13% of respondents believe nothing can be done to stop the scourge of ransomware, 45% of respondents believe that “better defenses” are the most effective step, followed by more public/private partnerships (20%) and cryptocurrency regulation (9%).

Ransomware is unlikely to go away, but implementing better defenses at our organizations can certainly help mitigate the threat. For additional ideas on how to augment defenses, check out “How to Prevent Ransomware”.

Get the full ransomware survey in one infographic.

Embed The "Ransomware Survey" infographic on your site or blog using this code.