According to a survey conducted by the Canadian Internet Registry Authority (CIRA), most organizations in Canada still choose to pay ransomware gangs after successful attacks.
One conclusion from an online survey of 500 Canadian cybersecurity professionals is that organizations with at least 50 employees are at risk. The survey was released by CIRA on Tuesday.
CIRA oversees the .ca registry.
41% of respondents reported that their organization had been targeted by a cyber attack in the past year. Among these, 23% confirmed that their organization had fallen victim to a ransomware attack, an increase of 1% compared to last year.
70% of organizations surveyed said they paid ransom demands, with nearly a quarter paying up to $100,000. These numbers are similar to previous surveys conducted by CIRA. In 2022, 73% of those affected by ransomware paid, compared to 69% in 2021.
The numbers went in the wrong direction this year, according to Jon Ferguson, CIRA’s general manager of cybersecurity.
If organizations are not prepared for an attack beforehand, it can be difficult for them to fix the problem afterwards. Some organizations choose to pay because they believe it is the easiest solution. They may not have the capability to recover without regaining access to their data.
They may also be worried about damage to their reputation if word gets out about a ransomware attack, he added.
Some organizations in 2023 may not be ready to deal with ransomware because they struggle to comprehend the risks that come with adopting new technologies in IT.
The survey showed that IT professionals acknowledge the issue of ransomware. In fact, 75% of the respondents expressed their support for a law that would prohibit organizations from paying ransoms. This is an increase from 64% in the previous year’s survey.
64% of respondents in the survey said they had used their incident response plans in the past year. Ferguson noted that it is at least good that they had a plan to use. In fact, 44% of respondents said their company has a comprehensive incident response plan, while another 40% said they have a basic plan.