Cohesity: Businesses Overestimate Cyber Resilience

New research from the data security provider Cohesity claims that most organizations overestimate their cyber resilience, putting them at risk of losing data in a cyberattack.

Cohesity released its Global Cyber Resilience Report 2024 on Thursday. The company's survey polled more than 3,000 IT and security executives around how they approach cyberthreats. The majority (78%) claim that they had confidence in their companies' cybersecurity strategies and their ability to resist modern cyber challenges. At the same time, the majority of respondents (67%) said that they'd fallen victim to a ransomware attack in the last six months and most paid a ransom during that period.

“The reality for organizations is that destructive cyberattacks, like ransomware, are a ‘when’ not ‘if’ reality that threatens their business continuity," said Brian Spanswick, CISO and CIO at Cohesity. "However, organizations can tackle this reality head-on by enhancing their cyber resilience − the ability to rapidly respond and recover from cyberattacks or traditional business continuity scenarios − by adopting modern data security, response, and recovery capabilities. Organizations may have the greatest confidence in their cyber resilience, both in their strategy and capabilities, but the reality is that the majority are paying ransoms or would pay a ransom, so organizations are overconfident or overestimate their cyber resilience.”

Cohesity's Brian Spanswick

Nearly seven out of ten (69%) reported that they had paid a ransom out in the last year despite having a "do-not-pay" policy in place.

The majority of companies lacked the tools to respond appropriately to ransomware attacks. Only 2% said they had tools for recovering data and business procedures within a 24-hour period. Eighteen percent said their company was able to retrieve the data and restore business processes within one to three days. Only 32% said they had the ability to recover and restore their data within four to six days.

Less than one-half of companies said that they have all the IT and security tools required to "identify sensitive data and comply with data privacy laws and regulations."

“Cyber resilience is critical because the incentive and motivation of attackers is so high, with attack surfaces incredibly vast, so a reliance on protective controls is unrealistic,” said Spanswick. “Successful cyberattacks and data breaches severely disrupt business continuity, impacting revenue, reputation and customer trust. This risk must be at the forefront of business leaders’ priorities, not just IT and security leaders. Similarly, regulation and legislation should not be seen by companies as the ‘ceiling,’ but instead the ‘floor,’ in both developing cyber resilience and adopting data security or recovery capabilities.”

Cohesity announced in February that it had acquired Veritas, a data protection provider.