Despite companies having a “do not pay” policy for ransomware attacks, most have little choice due to the massive disruption to their operations.

Findings from a study commissioned by cybersecurity firm Cohesity revealed that the majority of companies hit by ransomware attacks last year made payments to cybercriminals to resolve the incidents – 76% in Malaysia and 64% in Singapore.

The Data Security Survey Research, which polled 504 IT decision-makers from various companies, claimed that 77% of Malaysian companies and 65% of Singaporean companies had fallen victim to some form of ransomware attack in the last six months.

The ransoms paid are significant, with 54% of Malaysian companies (47% in Singapore) paying between US$100,000 and US$499,999 (RM468,500 and RM2.34mil) for data recovery, while 27% of Malaysian firms (36% in Singapore) paid more than US$500,000 (RM2.34mil).

Seventy-four percent of Malaysian respondents said their companies would be willing to pay over US$1mil (RM4.68mil) to restore business activity after an incident, while 22% said they would pay more than US$5mil (RM23.42mil).

For Singapore, 59% indicated a willingness to pay over US$1mil, while 16% are willing to pay over US$5mil.

A majority (97% in Malaysia, 91% in Singapore) of these companies noted that cyber threats in their industry have increased this year and are expecting them to worsen in the remainder of 2024.

Gaps in goals

Cohesity global cyber resilience strategist James Blake said this is an unfortunate reality for those suffering destructive cyberattacks that threaten business continuity.

“However, organisations can face this reality head-on by enhancing their cyber resilience – the ability to rapidly respond and recover from cyberattacks or traditional business continuity scenarios – by adopting modern data security, response, and recovery capabilities.

“It’s not earth-shattering that organisations are being hit with cyberattacks,” Blake said in a statement, emphasising that the big concern is that firms are breaking their “do not pay” policies because they either can’t recover their data and restore business processes, or overestimate their cyber resilience capabilities.

However, maintaining cyber resilience is a major challenge, as organisations have to contend with the rapid evolution of the threat landscape.

In the event of a cybersecurity incident, only 1% of Malaysian firms (5% of Singaporean companies) say they would be able to recover data and restore business processes within 24 hours.

This is despite 97% of respondents stating that their targeted optimum recovery time objectives (RTO) to minimise business impact are within a day.

Wisniewski says Sophos’ study found compromised credentials were the primary attack vector, yet only 43% of companies employed multi-factor authentication. — Sophos

The gap between an organisation’s cybersecurity goals and readiness shows a misalignment in their strategies, often leading them to pay off cybercriminals for rapid recovery. The study also revealed that 33% of respondents in Malaysia and 42% in Singapore are not confident in their firm’s ability to handle current cyber threats.

In cybersecurity firm Sophos’ The State Of Ransomware 2024 report, it points out that the cost to recover from ransomware incidents has risen by 50% globally over the last year, totalling US$2.73mil (RM12.79mil) on average.

“The Sophos Active Adversary report has repeatedly shown that many of the cyber incidents companies face are the result of a failure to implement basic cybersecurity best practices, such as patching, in a timely manner. In our most recent report, for example, compromised credentials were the number one root cause of attacks, yet 43% of companies didn’t have multi-factor authentication enabled,” said Chester Wisniewski, Sophos director and global field chief technology officer.

Its findings also indicate that 97% of companies with a cyber insurance policy have actively invested in improving their defences, with 76% attributing it as part of an effort to qualify for coverage, 67% citing better pricing, and 30% to obtain better policy terms.

Setting a high standard

In a separate study, cybersecurity firm Kaspersky claimed to have blocked 2.5 million “local threats” – cybersecurity risks that originate from within or directly affect a specific computer or network, including those introduced through infected files or removable media.

It also blocked 26.8 million online threats targeted at businesses throughout last year, highlighting the need for continued investment in cybersecurity to shore up defences.

Yeo says cyber resilience is non-negotiable as the motivation of attackers is high and attack surfaces are wide. — Kaspersky

“It is known that Malaysia is short of cybersecurity experts, with a recommended number of cybersecurity personnel of 27,000 by 2025,” said Yeo Siang Tiong, Kaspersky general manager for South-East Asia, in a statement.

“Our own survey also found that 48% of companies require more than six months to find a qualified cybersecurity professional. Businesses in Malaysia are in dire need of beefing up their cybersecurity posture against the escalating threats online and offline.

“The lack of focus and care for strong security protection renders companies very susceptible to cyber threats, more so for those with hybrid and remote work arrangements. This can lead to costly financial and reputational damages in the event of a major attack.”

Meanwhile, Cohesity’s Blake stressed that companies meeting the minimum isn’t enough when it comes to formulating cybersecurity strategies.

“Cyber resilience is non-negotiable because the motivation of attackers is so high and attack surfaces are so wide, a complete belief in protective controls is unrealistic.

“Successful cyberattacks and data breaches severely impact business continuity, including revenue, companies’ reputations, and customer trust. This reality should keep business leaders, not just IT and security leaders, awake at night.

“Regulation and legislation should not be the ‘ceiling’, but instead a high ‘floor’, in developing cyber resilience and adopting data security best practices or capabilities,” Blake said.