Today, new research suggests that half (50 per cent) of large UK businesses have built a stockpile of digital currency in case of a ransomware attack – and just seven per cent are only stockpiling Bitcoin. In fact, the vast majority (93 per cent) are spreading their cryptocurrency risk by investing in other digital currencies as well.
The research – commissioned by Citrix and carried out by OnePoll – quizzed 750 IT decision makers in companies with 250 or more employees across the UK to uncover the extent to which large British businesses are accumulating stores of cryptocurrencies, the impact of the fluctuating price of Bitcoin and how organisations plan to keep these investments secure against cybercriminals. The research also considered whether the increasing use of cryptocurrencies led to business use-cases beyond paying cybercriminals to regain access to their data following a ransomware attack.
Diversifying cryptocurrency portfolios
The poll revealed that almost nine in 10 (88 per cent) responding large UK businesses, which keep a ready stockpile of digital currency, do stockpile Bitcoin. While Bitcoin has proven extremely popular, the vast majority of these companies have also invested in additional cryptocurrencies. More than half (54 per cent) have bought Litecoin but a significant proportion of these organisations have also invested in Ethereum (43 per cent), Ethereum Classic (33 per cent), Ripple (33 per cent) and Dash (29 per cent). In fact, just seven per cent of large UK businesses are choosing to accumulate Bitcoin only.
While more UK companies are building a ready stockpile of digital currency – rising from 42 per cent in 2016 to 50 per cent – the number of Bitcoins kept on standby has remained largely consistent. Large UK businesses now stockpile an average of 24 Bitcoins – only one more than the 2016 average.
This apparent consistency in terms of amount of Bitcoin kept on standby may reflect many organisations’ decision to cash in on inflated prices to make a profit. The poll uncovered that more than half (57 per cent) of those British companies stockpiling Bitcoin have sold some of their supply to make a profit as the cryptocurrency’s value inflated. An additional two fifths (38 per cent) of these businesses are currently considering making a sale – leaving just five per cent choosing to keep all their Bitcoins.
Almost two thirds (64 per cent) of those companies keeping a ready supply of Bitcoin believe that its inflated price has led cybercriminals to target their Bitcoin stockpile. In fact, large British businesses are very aware of the cyber threat to valuable Bitcoin wallets: only 5 per cent of organisations which stockpile the currency have not taken any steps to protect their Bitcoin reserves.
Of those which have made changes to secure their Bitcoin assets, more than half (52 per cent) have used specific back-up procedures. Other popular security measures include: using cold storage/offline storage (36 per cent), moving to multiple wallets (36 per cent), using a dedicated/hardened computer (35 per cent) and using dual control so multiple people are required to access the cryptocurrency (22 percent).
Many large British businesses are stockpiling cryptocurrency with a view to using it for a number of use cases beyond paying a cyber ransom if required. In fact, just four per cent are building a ready supply of digital currencies specifically to pay ransom-demanding cyberattackers. The research found that two fifths (40 per cent) plan to use the currencies to pay providers, while one in three (32 per cent) are aiming to pay employees in a digital currency. Additional plans include using it together with smart contracts or other blockchain technologies (27 per cent), as part of fundraising (21 per cent) and to pay for training, R&D or other demonstrational activities (17 per cent).
Biggest concerns: value, internal policy and security
More organisations are investing in cryptocurrencies, yet its value is a key deterrent. More than a third of large UK businesses polled cite concerns that the digital currency will crash (35 per cent) and fluctuating prices (34 per cent) as factors that discourage them from stockpiling cryptocurrencies. Additionally, almost one in five (18 per cent) are concerned that the business will not be able to cash the cryptocurrency in when required.
Organisational policies and uncertainty are also holding companies back. One in three (33 per cent) admit that the fact they don’t have a policy on how to deal with digital currency as a type of company asset deters them from stockpiling a digital currency – while 31 per cent pinpoint the lack of an assigned budget to use to purchase digital currencies as a discouraging factor.
Security concerns are similarly rife. Almost one third (31 per cent) believe a stockpile of digital currency might make the business a target for cybercriminals while almost one in five (18 per cent) worry that it might put them at risk of insider theft. Additionally, while some companies keep cryptocurrency on the off chance they are required to pay a cyber ransom, one in ten (11 per cent) raised the concern that ransomware attackers may request payment in a different cryptocurrency – which the business does not stockpile – or potentially request payment in a national currency, e.g. dollars or pounds, instead.
Chris Mayers, chief security architect, Citrix, said:
“Initially many organisations were treating ransomware as a cost of doing business – just like shrinkage and fraud in some sectors – and building a stockpile of cryptocurrency to cover potential cyber ransoms. Yet this is changing as companies begin to embrace its potential as a revenue driver, as well as an alternative means to pay for staff and services. As British companies continue to build and diversify their cryptocurrency portfolios, vital security measures must be put in place to protect these reserves and ensure they can be used for a growing range of business processes instead of falling into criminal hands through ransom or theft.
“It is encouraging to see that organisations are aware of the need to protect cryptocurrencies, even though most of them have not yet put the full range of security measures into practice. With more than one cryptocurrency, and supporting diverse business needs, security becomes both more important and potentially more complex. Organisations should adopt the same approach as they do for data and apps: simplify security by placing cryptocurrencies under centralised control with common policies and procedures, with robust defences. Cryptocurrencies must not be managed by ‘shadow IT’.”