A few careless clicks and not enough caution
Global ransomware costs are projected to hit $57 billion annually in 2025, rising to $275 billion by 2031, according to a report by Cybersecurity Ventures. Why are the numbers still increasing so dramatically, especially with every organisation around the world also increasingly aware of the scale, cost, and complexity of the challenge?
Our research study of 2,000 UK office workers uncovered a key part of the answer. While many employees understand the business risk of cyberattacks and the concept of ransomware, there remains a sizeable minority that simply don’t understand the risks that their own actions (or lack thereof) contribute to their organisation’s overall cyber resiliency posture.
Too often employees are not only unable to identify the clear indicators of a ransomware attack, but some have never even heard of the term. Cybersecurity training may have gone over their heads, or they haven’t had any at all. And when they fall for a cyberattack, they delay admitting fault — giving attackers more time to penetrate critical datasets and repositories, slowing down their organisation’s response time and increasing the long-term damage.
The good news? Seeing cyberattacks in the news headlines on an almost daily basis, organisations have woken up to the importance of cybersecurity training. Most businesses are training their staff. Our findings reveal that it’s now about focusing on the weakest parts of the chain: the staff members who don’t yet see the full picture.
So, let’s take a closer look at what the research tells us — and what businesses can do to strengthen their cyber resilience and avoid becoming part of the $275 billion statistic by 2031.
Rocky foundations
In the UK, our research reveals a worrying gap in cyber resilience. While 78% of employees across the UK have received some form of cybersecurity training in the past year, nearly one in five (21%) said they have had no exposure to any training. That’s a significant blind spot.
These individuals have not been taught basic cybersecurity measures, the need for shared responsibility, or what to look for in an attack. It means they’re ill-equipped to recognise ransomware phishing emails — let alone understand how to respond appropriately.
Even among the majority, understanding is patchy. While 43% say they know exactly what ransomware is, that is clearly not enough when the business risks are this high.
To make matters worse, ransomware is evolving fast. With AI powered deepfake technologies, attackers can use large language models to create personalised emails, mimic trusted sources (such as a colleague or well-known institution), instigate a sense of urgency, and send messages en masse at all hours of the day, and increasingly even use voice and video techniques to solicit sensitive access rights.
Worse, this technology has been tweaked, tested, rolled out, and shared to take advantage of one common thing: the unobservant weak links in organisations.
Keeping schtum
When an employee realises they may have fallen victim to a ransomware attack, many still fail to notify their organisation in the correct way, according to our study. In too many circumstances they see it as ‘not their problem’. They don’t want to create a fuss. They don’t want to get into trouble. The organisational culture of encouraging transparent and timely communication of these threats has not been established.
Even in businesses where reporting lines are clear, some employees would still choose not to report their suspicions. Of the 79% of staff who said they were confident they could identify if their organisation was targeted by a malicious cyberattack, around 39% said they wouldn’t inform the cyber security team.
Some of this comes down to employees choosing to report issues to their line manager only rather than following best practice and informing both their manager and the relevant cyber security teams. But 26% said they wouldn’t tell anyone at all at work if they suspected an attack. This silence can seriously hinder incident response efforts.
What to do?
Businesses have done well to shore up their cybersecurity posture in recent years. But today it’s about strengthening the weakest links. Our research data gives a good indication of potential vulnerabilities as far as people are concerned, but now it’s key that you carry out risk assessments to identify the most pressing misconceptions and gaps within your organisation and act.
But people are only part of the cyber resilience story.
A cyberattack can hit at any moment and time is of the essence in terms of the response to get back up and running quickly and in a secure state to limit the impact. Planning, processes, technology and cyber skills are all key elements to building cyber resilience.
In some ways the research confirms what we already know. When it comes to ransomware, people are the weakest link. There’s a job to be done with employees, but organisations need to ensure that their processes, cyber skills, and technologies
are as robust as they can be to limit the dangers as employees will always be the weakest link no matter how hard you try.
About the Author
James Blake is Global Head of Cyber Resiliency Strategy at Cohesity. A modern platform for the AI era Our mission at Cohesity is simple: to protect, secure, and provide insights into the world’s data. The largest organizations around the globe rely on us to strengthen their business resilience. With the Cohesity Data Cloud, we are able to deliver on that mission. Our customers can recover from cyber events faster, manage and secure their data at enterprise scale, and gain valuable insights with our industry-leading AI capabilities.
