The cost of a ransomware attack to a financial services organisation now clocks in at an average of $2m (£1.44m), exceeding the global average of $1.85m (£1.33m) by a small margin, however, the financial sector is also one of the most resilient industries when it comes to facing down ransomware hits, and is significantly less likely to pay to recover their data.
These are just some of the top-level findings from a report produced by cyber security firm Sophos, which polled 5,400 IT decision makers worldwide, 550 in the financial sector, to produce its study, The state of ransomware in financial services 2021.
Sophos’s researchers found that 34% of financial services organisations were impacted by a ransomware attack during the course of 2020, and in 51% of those cases, the attackers succeeded in encrypting company data. But 62% of victims said they were able to restore fully from backups, and only 25% paid a ransom, the second lowest payment rate of all industries surveyed, 7% below the average.
Sophos’s senior security advisor, John Shier, said there were very clear reasons for the high levels of preparedness and resilience seen in the financial services sector.
Because the industry is so highly regulated, with a myriad of regulations such as the General Data Protection Regulation (GDPR), PCI DSS, and Sarbanes-Oxley that must be adhered to, financial services organisations take compliance seriously and prepare thorough business continuity and disaster recovery plans to minimise damage from potential cyber attacks.
However, the strict regulations governing the industry do have some less desirable outcomes in the event of a cyber attack, Shier said: “Strict guidelines in the financial services sector encourage strong defences. [But] unfortunately, they also mean that a direct hit with ransomware is likely to be very costly for targeted organisations.
“If you add up the price of regulatory fines, rebuilding IT systems and stabilising brand reputation, especially if customer data is lost, you can see why the survey found that recovery costs for mid-sized financial services organisations hit by ransomware in 2020 were in excess of $2m,” he said.
Read more about ransomware attacks
- The debate around banning ransomware payments is highly nuanced, and we must take care to avoid overt victim-blaming, in favour of an open and honest approach, says SASIG’s Martin Smith.
- Prevention is key when it comes to ransomware infections. But there are ways to recover data if a device is compromised. Uncover four key steps to ransomware removal.
Shier also picked out some more worrying data points from the study: “A small, but significant, 8% of financial services organisations experienced what are known as ‘extortion’ attacks, where data is not encrypted, but stolen and victims are threatened with the online publication of their data unless they pay the ransom. Backups cannot protect against this risk, so financial services organisations should not rely on them as an anti-extortion defence.
“Further, 11% of the financial organisations surveyed believe they won’t get hit because they are ‘not a target.’ This is a dangerous perception because anyone can be a target. The best approach is to assume you will be a target and to build your defences accordingly.”
The report also revealed a certain level of resignation to the prospect of a ransomware attack among decision makers in the sector – 40% believed it was an inevitability. Of those that believed they would be hit by ransomware, 47% said attacks were now so sophisticated they were becoming harder to stop, and 45% felt they would become a target because their peers were.
Shiers said this should not be used as an excuse to rest on one’s laurels. “The financial sector has too much at stake to not set up an in-depth defensive plan to protect, detect and block cyber attackers,” he said
“While they should continue to invest in backups and their disaster recovery efforts to minimise the impact of an attack, they should also look to extend their anti-ransomware defences by combining technology with human-led threat hunting to neutralise today’s advanced human-led cyber attacks.”