The cyber landscape continues to evolve at lightning speed; attacks are more frequent and increasingly sophisticated. And while the use of large language models and generative AI in cybersecurity are still in the early stages, they open the door for attackers with lower skillsets to achieve new capabilities through the generation of malicious code, as well as simplifying especially cunning and effective phishing attacks. Businesses recognize these threats, yet findings of the OpenText™ Cybersecurity 2023 Global Ransomware Survey paints a conflicting picture among small-to-medium businesses (SMBs) and enterprises (more than 1,000 employees) as to who is a target.
While awareness about ransomware risk is concerning, all is not bleak. Findings show SMBs and enterprises are advancing their defenses with plans to increase security budgets and invest in personnel, including leveraging the channel to offset the skills shortage.
A contradictory mindset:
A majority of SMBs (90%) and enterprises (87%) feel extremely or somewhat concerned about ransomware attacks. 46% of SMBs and enterprises report experiencing a ransomware attack this year. 54% of respondents believe they are more at risk of an attack due to threat actors leveraging AI.
Despite concerns, there is a serious disconnect as a surprising 65% of SMBs and 54% of enterprises either don’t believe or aren’t sure they are ransomware targets.
SMBs and enterprises share a similar view on how to handle ransom demands. 64% percent of SMBs and 70% of enterprises do not believe in paying a ransom. Similarly, 79% of SMBs and 82% of enterprises have established recovery plans to mitigate successful ransomware attacks which indicates they are taking proactive steps in the event an attack occurs.
Taking cybersecurity seriously:
The good news is that businesses of all sizes are making investments to improve their security postures. Despite a well-documented cybersecurity talent shortage, SMBs (44%) and enterprises (43%) plan to expand their security teams next year. As a workaround to the shortage, businesses are turning to the channel. 52% of SMBs and 42% of enterprises report outsourcing security to an MSP or channel provider.
While 65% of businesses also believe their security sectors are adequately funded, SMBs (57%) and enterprise (53%) plan to increase security spend in 2024. 40% of SMBs (37% of enterprises) aim to increase budgets by 5-10%; and 33% of SMBs (31% of enterprises) plan a 10-20% increase.
Not surprising, cloud security remains a top concern—and key investment priority— for both SMBs (55%) and enterprises (59%).
SMBs ranked cloud security first, followed by security awareness training (52%), network protection (48%) and then email security (45%). A slight variation of priorities, enterprises ranked network protection (62%) first, followed by cloud security Security staffing was third (56%) and security awareness training was fourth (52%). These numbers are encouraging as they indicate businesses understand a layered approach to security is most effective.
Closing the awareness gap:
Businesses are also investing in more frequent security awareness training; SMBs are conducting training at nearly the same pace as enterprises.
83% of SMBs require employees to take security awareness or phishing training. Of these respondents, 38% conduct training quarterly and 41% twice a year. A majority (96%) of enterprises require regular security awareness or phishing training. Of these respondents, 40% of enterprises conduct security awareness training once per quarter and 34% twice a year. An increased focus on security awareness training is encouraging news given the disconnect over who is a target.