WannaCry brought the threat posed by cybercriminals into the public consciousness in a way that had not really been seen before. Temporarily crippling the NHS brought the dangers of cyber-attacks to reality and demonstrated that organisations need to be taking the problem of all forms of cybercrime seriously. Ransomware is a particularly devastating form of attack that a successful attack can have a major commercial impact on businesses.
Carbon Black recently surveyed 5,000 people to gauge the public’s perception on ransomware, its threshold for paying a ransom, and the expectations consumers have on businesses to keep their data safe.
The result showed that for 57% of those consumers surveyed WannaCry was the first exposure they’d had to the intricacies of ransomware, meaning public perception has been – at least temporarily – raised by the high profile nature of the attack. It remains to be seen whether the upturn in awareness continues or whether it reverts back to pre-WannaCry levels of awareness. Either way, with consumer awareness so high the commercial risks and downsides resulting from an attack are even greater from a business standpoint.
When compared side by side with other consumer facing industries, retailers did not score well when it came to consumer trust. When asked about the level of trust consumers have that their financial institutions, healthcare providers and retailers can keep their personal data safe, 70% of consumers said that they trust that their financial institutions and healthcare providers can keep their data safe. Only 52% of consumers trust that retailers can keep their data safe. These results show all industries have a lot of room for improvement when it comes to public confidence, but retailers especially.
The critical part for businesses though is the attitudes and reaction of consumers to successful ransomware attacks. A large majority (70%) of consumers would consider leaving a business if it were hit by a ransomware attack. Financial institutions were the most vulnerable with 72% of consumers saying that they would consider leaving them if they were hit by ransomware, for retailers it was 70%, and healthcare providers 68%.
The fact that consumer behaviour changed little between financial institutions, retailers and healthcare providers shows a significant majority of consumers will punish companies who are affected by ransomware.
Our survey showed the general public places a huge premium on their financial data over both phone data and even medical records. When asked what their most sensitive information is 42% said it was financial data, closely followed by the 41% who stated it was personal and family photos and videos. Mobile data and medical records both were only most valued by 5% of those surveyed.
When asked if they would personally be willing to pay ransom money if their personal computer and files were encrypted by ransomware, it was close to a dead heat with 52% of respondents saying they would pay and 48% saying they would not. This is interesting given the best practice advice for both individuals and businesses is not to pay. We know that paying ransoms is only a temporary fix and it serves to embolden and reward cybercriminals.
Of the 52% who said they would pay a demand for money from a cyber attacker 12% of the cohort said they would pay $500 (approx. £390) or more, 29% said they would pay between $100 (approx. £78) and $500 to get their data back, whilst the majority (59%) said they would pay less than $100.
The onus of responsibility to keep consumer data safe is mostly on the individual organisations themselves, consumers said in our survey. While the burden is distributed among government organisations, software providers, and cybersecurity companies as well, consumers say the buck stops with the companies that are trusted with the private data. This is an important consideration for businesses.
This survey, which follows hot on the heels of the highly publicised WannaCry attack, shows that consumers are now very aware of ransomware and hold a view that should worry businesses. Clearly, consumers now more aware of ransomware have indicated that they would be very willing to leave a business that is successfully attacked. Consumers want businesses to be looking after their data – which they strongly value – and a failure to do so will have a significant commercial impact. Therefore it is imperative for businesses to make sure they have the right people, processes and technology in place to stop all forms of cyberattack including ransomware.
For the full report on ransomware that Carbon Black conducted go to – https://www.carbonblack.com/wp-content/uploads/2017/05/Carbon_Black_Ransom_Aware_Survey_Report.pdf