Although almost 80% of state and local information technology leaders responding to a new survey said they believe that ransomware is a formidable threat, less than half said they have an incident response plan.
That’s just one of several survey results that indicate widespread unpreparedness, according to “Smart Investments for Getting Ahead of Ransomware,” a survey report released March 22 by Palo Alto Networks Unit 42 Threat Intelligence unit.
Seventy-eight percent of respondents said that the ransomware threat is unlikely to decrease in the next 12 to 18 months. Research indicates that they are right: The report notes that “ransomware-as-a-service makes it easier than ever to execute ransomware attacks.” The technology for launching ransomware attacks is evolving to use artificial intelligence to overcome identity and access management controls and bypassing phishing, which has been the typical way in. Additionally, the amount organizations pay in ransom is growing. Between 2019 and 2020, the average ransom paid by organizations in the United States, Canada and Europe jumped from $115,123 to $312,493, according to the report by Palo Alto Networks Unit 42 Threat Intelligence unit.
Despite this, only 15% of respondents said they are confident in their agency’s ability to prevent a phishing email, malware or supply chain attack from leading to a ransomware incident, and only 22% said they are confident their organization could keep an attacker from getting deep within the network after compromising a single device, user or endpoint. Most respondents – 60% and 59%, respectively – were somewhat confident.
“Organizations may believe they’ve got something on the backside that will help prevent attackers from going deeper if someone falls for a phishing email or an endpoint is compromised,” said Phil Bertolini, vice president of the Center for Digital Government, which conducted the survey, and former chief information officer for Oakland County, Mich. “However, they may not be using zero trust or another access control to prevent further movement into the network,” he said in the report.
Almost one-third of respondents did not know whether remote work had impacted their organization’s cybersecurity – a major concern given the way it expanded agencies’ threat surface.
At the same time, however, a Joint Cybersecurity Advisory found that in 2021, authorities in the United States, Australia and the United Kingdom “observed an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally.” In 2020, FBI’s Internet Crime Complaint Center received 2,474 complaints related to ransomware, and in 2021, the Justice Department and the Homeland Security Department started StopRansomware.gov, a website intended to be a “one-stop hub for ransomware resources.”
Yet less than half of respondents to the survey said they have an incident response plan should an attack happen. Broken down, only 31% said their organization has a plan, 17% said their plan is part of a larger cyber response plan, 10% said a plan is in the works, 22% said they didn’t know and 21% said they had no plan.
One reason for the lack of preparedness may be budget related. The report states that 41% of respondents said they need some new investment to effectively respond to ransomware, with 18% saying they need a significant investment and 5% saying they need a complete overhaul. The Infrastructure Investment and Jobs Act, which allocates $1.9 billion in cybersecurity funds, including $1 billion for a four-year grant program for state and local governments, is a step in the right direction.
The investments topping respondents’ wish lists are tools to secure home networks for remote workers (41%), hiring additional security staff (37%) and using a managed security services provider and procuring products for public cloud monitoring and security (both at 27%).
But “a nationwide shortage of IT/cybersecurity professionals means most organizations won’t be able to hire their way out of some challenges,” the report notes.
“Ransomware is a threat that isn’t going away, and being prepared for an inevitable cyberattack needs to be a top priority for public entities,” Matthew Schneider, vice president of state, local and education at Palo Alto Networks, said in a statement.
Stephanie Kanowitz is a freelance writer based in northern Virginia.