Swiss companies more likely to pay ransom

The current survey shows that, compared to the previous year, more Swiss companies would pay a ransom to the hackers in the event of a security incident than invest more heavily in information security, as they consider such an approach to be more cost-effective: Last year, 23% of the decision-makers surveyed said they would prefer to meet the attackers' demands in the event of a ransomware attack; this year, the figure is as high as 40%. This correlates with the statement that 44% of Swiss companies would rather pay ransom than a penalty for not complying with applicable laws and policies. "This result is more than frightening, especially given the threat of ransomware attacks that is not abating," explains NTT Security's Kai Grunwitz. "If companies now expect cost benefits from paying ransom, this is more than deceptive in our eyes. And the rude awakening will come sooner or later for many."

Aware of the imminent danger

Yet companies are well aware of the looming threat: according to the decision-makers surveyed, cloud (24%), BYOD (20%), ransomware (18%) and IoT (12%) pose a potential threat in the next 12 months. However, nearly two-thirds fear the vulnerability lies within the enterprise: Malicious insider threats such as data theft (30%), accidental or negligent security breaches (28%), and also shadow IT (16%) and phishing (36%) are ranked by respondents as potential security risks.

Not surprisingly, only 42% of the companies already have an incident response plan in place; according to the study, 38% are in the process of implementing one, and a further 10% are planning to implement appropriate measures in the near future (see Figure 1). "In the past few years, not much has changed in companies with regard to the incident response plan, despite numerous security incidents that have become known and ever-increasing damage potential. Although it is only possible to respond appropriately and quickly to IT security incidents with dedicated process and emergency plans, not even half of the companies surveyed have an incident response plan," Grunwitz summarizes. "Even the encouragingly high number of ongoing implementations and projects in planning is sobering when looked at closely: past studies make it clear that they are often only compliance-driven and remain pure declarations of intent that do not lead to a significant improvement in the companies' incident response readiness in the following year - only a few of these incident response projects are successfully implemented. Working with an experienced incident response partner is therefore highly recommended."

Only half have security policies

The situation is no better with regard to security policies. Only around half of the companies (48%) have introduced complete security guidelines. However, 21% have not actively informed their employees about the policies. "It is imperative to adequately educate employees about the threats and how to properly deal with them - especially as social engineering attacks become more popular. Any employee quickly becomes a security breach if they don't have very good security awareness. Company-specific awareness training can raise awareness of the issue and give them confidence in dealing with relevant incidents," Grunwitz emphasizes.

The exchange within the company on the subject of security must increase significantly in general: Only 66% of the decision-makers surveyed said they were up to date on attacks, potential attacks and compliance in their company. This correlates with the statement that only in 68% of the companies is security a regular item at the board meeting. Furthermore, the fact that 46% have already been affected by a security incident, yet 42% of respondents expect never to be in that situation, underscores the need to become more aware of the threat. Finally, the companies surveyed are well aware of the serious negative impact of a security incident involving data theft: loss of customer confidence (42%), damage to reputation (38%) and financial losses (36%) were mentioned.

*The annual "Risk:Value Report"is compiled by the market research company Jigsaw Research on behalf of NTT Security. For this survey, 2,256 executives around the world gave their opinions on IT and IT security issues.