Many businesses fail to protect themselves against ransomware attacks, according to a recent survey by SpyCloud.

Ransomware attacks hit 72 per cent of respondents during the past 12 months. But 13 per cent said they had been attacked between 6 and 10 times, with 5 per cent facing 10 or more hits a year.

“This indicates that the magnitude of the problem may be bigger than many people think,” the report said. “And the high-profile attacks that make the news are but a sliver of the full scope of the problem.”

Risky areas

Ransom attacks often use phishing emails – fake links in emails that contain viruses – and compromised identities to gain entry. However, many businesses have poor password protection systems in place – or depend on simple authentication systems. “We were astounded to learn that 41% of organisations don’t have a password complexity requirement, which is the easiest and least costly box anyone can check,” the authors said. In addition, only about half of businesses use multi-factor authentication.

People are the weakest link. Most businesses lack enough skilled security personnel. Employees also often have only a rudimentary understanding of cybersecurity.


Most companies spend heavily on cyber defence. But the survey uncovered contradictory attitudes to cyber-risk among executives. For example, one in three companies rank the maturity of cyber defences exceptional. A further half (48 percent) rank them as advanced.

“One way to explain this rift is a likely bias in the self-reported maturity and the self-reported capabilities,” the report said. “But it could also indicate that even the best defences have limitations, especially considering the evolution ransomware and the growing sophistication of threat actors.”


The UK Government’s National Cyber Security Centre (NCSC) advises organisations to plan for the worst. For example, even where businesses do not see themselves as a target, they can be hit with the consequences from a major strike against their suppliers.

In addition, it advises businesses to run through their incident management plans repeatedly. “This helps clarify the roles and responsibilities of staff and third parties, and to prioritise system recovery,” it said.

A free online tool, Exercise in a Box, is available.