Podcasts

Don’t Become a Ransomware Statistic – IDC’s Shocking Survey Results

W. Curtis Preston, Chief Technology Evangelist

A recent survey by IDC of over 500 companies of various industries and sizes revealed some shocking results, starting with the fact that 47% of them have successfully attacked by ransomware, and 50% of those affected by ransomware also lost data. What’s even more shocking is many of them seem to have high confidence in their abilities to defend against and respond to the ransomware threat. Listen as Mr. Backup (W. Curtis Preston) and Stephen Manley (Druva’s CTO) discuss this fascinating survey and its accompanying whitepaper.

[00:00:00] W. Curtis Preston: This week on no hardware required, we’ll be talking about how ransomware is not your only problem. With me as always is our CTO. Stephen Manley. Thanks for joining. Hi and welcome to Druva’s no hardware required podcast. I’m your host w Curtis Preston, AKA Mr.

Backup and I have with me, my, uh, resiliency expert Stephen Manley. How’s it going Stephen.

[00:00:28] Stephen Manley: Well, it’s, uh, it’s 108,000 degrees here and, uh, I’m pretty sure I melted all the skin off the bottom of my feet, but I am resilient.

[00:00:38] W. Curtis Preston: We’re recording this in the middle of the California heat wave of 2022. And, uh, the thing that I, I think a lot of part of the rest of the country just doesn’t understand is that we don’t, most of us don’t have air conditioning because we live in like the best climate on the planet. And, uh, at least down here, you know, but I, I think 90% of the homes in San Diego don’t have air conditioning.

And so when it. In the nineties outside and, and, and triple digits as it has this week, we’re just like stupid. We just don’t. We just don’t know what to do.

[00:01:10] Stephen Manley: well, plus I imagine it’s similar to up here. You’re not getting those cross, right. Cause you usually get those ocean breezes. Yeah. Once that air is staggered, you’re just, yeah. Life

[00:01:20] W. Curtis Preston: Yeah, you just stuck there. So we have nothing to do, but to sit around and talk about backups and recovery and resilience. Et cetera.

Uh, I thought this week we talk about this, this, uh, survey that IDC did. Looks like they had over 500 respondents. Looks like they, they tried to get a good mix between north America, Europe, uh, APAC, uh, good mix between, you know, smaller companies, 250 to 1500, uh, 1500, 5,000, then 5,000 looks like it was a good, uh, you.

Spread between those different groups of people and over 20 different industries. It’s really, you know, if you look at this, this, um, These the summary statements, right? The, if you look at like page two of this white paper that they wrote, the, the, the three summary statements about the 85%, 92%, 93%, you see that part?

Um, it, it, it, it’s, it’s kind of shocking, um, in terms of.

[00:02:25] Stephen Manley: It’s sad. Sure. We’ll

[00:02:27] W. Curtis Preston: SA shock. It’s sad because, uh, let’s just sort of look at ’em, you know, one at a time here. So 85% of organizations claim to have a cyber recovery playbook for intrusion detection, prevention and response. Yet 46% have been successfully attacked by ransomware in the past three years, 46% successfully attacked by ransomware.

[00:02:55] Stephen Manley: And remember, this is the set of people who are a admitting it and B noticed it. So 46%,

[00:03:05] W. Curtis Preston: point.

[00:03:07] Stephen Manley: that’s the, that’s the minimum I’m gonna, I’d normally put a little bit more on that.

[00:03:12] W. Curtis Preston: Yeah. Yeah, there are probably a few more, but, but, but even that, even the 46% admitted to it, right. That they were successfully attacked by ransomware. I think I’m gonna go back to your word sad, right? The fact that 85% of them felt that they had A system to, to, to theoretically prevent and respond to that.

And it just didn’t work, uh, for roughly half of them. I dunno. What’s, what’s your thought on that?

[00:03:44] Stephen Manley: Well, I I’ll, I’ll double down because cuz I know it comes a little later in the piece just in case anyone’s listening is saying, well maybe that’s just the small companies because they don’t have the resources or time or maybe it’s the big companies cuz they, they got hit on all sides. the numbers are pretty consistent across size of company, industry, geography.

So, so nobody, nobody is excluded from this. and I was gonna say for me, you know, and I just got off a customer conversation with, with one of our, our larger customers. Um, and I, and I, and, and the person I was talking to just got the job basically of cyber resiliency czar. because it turns out that they didn’t have a cyber recovery playbook.

They had five of them. So that may also be affecting their response. Is that there isn’t actually a single plan that everybody knows about.

[00:04:41] W. Curtis Preston: Again, I’m, I’m just gonna go back to that word. Sad. I, I think that’s probably the right word. Um, and it was, you know, across the board, like you said, in terms of the size of companies, which should be both. Uh, should be something that you should note if you’re perhaps one of these smaller companies is, well, we’re a smaller company, so ransomware’s probably not gonna be a big deal.

They’re not gonna go after us. Nonsense, uh, for, for a number of reasons. I think that smaller companies are an even more, uh, of a target for ransomware, because I think maybe. Justifiably. So they’re thinking maybe they don’t have a dedicated team to respond to these kinds of things. And so maybe they’ll be more likely to pay the ransom.

So I, I think that that’s a, so the, the big takeaway for me from that is this idea that although 85%, I’m a little worried about the 15%, right. That said that didn’t have any kind of re recovery playbook. But the, but the 46%, basically half. That is huge, right? That is just, I, I know we talk a lot about ransomware, but that’s just huge, uh, from, from 500 companies for, for half of them to say that they were, they were attacked.

Um, let’s take a look at this next stat. So they’ve got 92% said their data resiliency tools were efficient or highly efficient yet 67% of those hit by ransomware were forced to pay the ransom and nearly 50% experienced data loss. Those two things are, I mean, this is the whole reason why we do what we do is to prevent people from having to pay the, the ransomware.

Right. Um, I don’t know. I we’re, we’re just gonna keep saying sad. Do you have a, do you have another adjective?

[00:06:35] Stephen Manley: but I mean, the other thing that. That that strikes me again is, is the cognitive dissonance, um, right. It’s the no, no, we’re incredibly efficient. And, and, and you just wanna ask that question efficient at what, because it’s not working. So is this one of those cases where, you know, I I’m really, really tuned, but it doesn’t actually solve my problems and, and, and, and, and that’s sad, but I also think that’s that.

That’s quite possible, right? That, that people are still fighting the old fight, right? This is, this is a common thing in war, right? You’re fighting last, you’re fighting the previous war. I think a lot of people have really tuned their environments for the problems that used to happen. And, and then they wake up and they say, no, no, I’ve got a really well run environment.

I just wasn’t ready for this new thing. Oh, I’d hate to tell you this. If you’re not ready for the new thing, your environment’s not very efficient.

[00:07:35] W. Curtis Preston: Yeah. Yeah. I think it could be, you know, I’ve been in backup a while. One of the things that have always been around is that the, the it’s very common that they had a backup system that was good at doing sort of basic operational restores. But when you know, the feces hit the rotary oscillator, They didn’t have a system.

Right. Um, so many companies don’t have a solid Dr. Plan. And, and again, you know, ransomware recovery, not the same as a Dr. Recovery, but I would still say that the Dr. Recovery is at the heart of a good ransomware recovery. So if you can’t recover quickly, quickly being the operative word there, if you can’t recover quickly from, uh, you know, having all of your data.

Deleted that, or, or encrypted, then you’re not gonna be able to successfully recover from a ransomware attack. There are some additional things you need to do, but it is interesting. So if I put those, if I put those, uh, and so I think that’s maybe. Like oh, great backup system. We do restores all the time and then we got hit by ransomware and we had to restore the whole data center.

Ah, we weren’t quite ready for that right now. You should have been

[00:08:53] Stephen Manley: right.

[00:08:53] W. Curtis Preston: right. You should have had a good Dr system, but how many times do we, you know, talk to people we’re like, oh, you know, that’s gonna be somebody else’s problem. I, I, I remember meeting with a, with a large, uh, aerospace company and they. The decision maker said, if something that bad happens, um, I’ll probably be dead.

And so I won’t care. Um, so he just basically said next, right? What, when I look at this sta though,

[00:09:28] Stephen Manley: Going back to the previous

[00:09:31] W. Curtis Preston: yeah, exactly.

[00:09:34] Stephen Manley: one’s.

[00:09:35] W. Curtis Preston: So interesting though, 67% said they paid the ransom. 50% experienced data loss. There’s something wrong here. Right? So what, so I, I wonder what the there’s no VIN diagram. I don’t think, I don’t know.

Maybe they did that later in the, in the report, but my I’m curious to know of those that paid the ransom. Did they get their data back? because there is no guarantee you’re dealing with criminals, right?

[00:10:04] Stephen Manley: right there. So, so, so anecdotally, I’ve heard a couple of things. One is, you know, in general, it, it is actually less about, you know, if you pay the Bitcoin, you will get the key. You’ll tend to be able to get the data back. So it is actually the, the ones I’ve heard where they’ve still lost data. And this goes back to the plan.

So imagine you get a small, maybe there’s a small fire in your house. And you know, someone comes in with the, with the big hose hoses down here, entire house basically destroys the house, trying to put out this tiny fire. There’s a lot of cases where we we’ve, we’ve talked to organizations where they’ve said, you know, we overreacted so much when the ransomware hit.

We actually destroyed a whole bunch of stuff. Unintentionally. We were actually more destructive than the cyber attackers because they had a bunch of junior people. They didn’t really, you know, they had a plan, but they hadn’t tested the plan and they all best effort. They, they broke a bunch of stuff, corrupted, a bunch of databases, they lost data and they chalked it up.

Of course, to, while I lost it to the ransomware attack. But it was really building fire that took him.

[00:11:17] W. Curtis Preston: It’s back. It’s back to the it’s back to the original thing of the you, your, your system is really not as resilient as you think it is. If it’s not fully tested, if it’s not regularly tested and if it’s not capable and, and you don’t have an automatable system to show that you, you can restore in a short period of time, that’s the big caveat, right?

While the, while the. While the, uh, you know, all of the news networks are blasting your company’s name across across the world. Um, you know, I think, I think about the, the colonial pipeline attack, where they both paid the ransom and restored because they, but the restore wasn’t fast enough.

Right. So they, they felt they needed to do both. Um, you know, you remember how much that I never even heard of them before that happened. And now they’re a household name, so yeah. So you, you, you need to make sure that it’s time tested. Battle tested so that when you do a restore it’s muscle memory, not where did we keep the five manuals that store the

[00:12:29] Stephen Manley: Yeah,

[00:12:29] W. Curtis Preston: ransomware recovery plant?

[00:12:32] Stephen Manley: throw in if your plan includes, you know, that guy we just hired two weeks ago, he plays a pivotal role in this working. that’s a bad plan. This should be as automated as humanly possible because humans under stress make mistakes. And so the more you can make this foolproof human proof, the better off you’re gonna be.

Cuz that guy we hired two weeks ago, he’s gonna be freaking out.

[00:13:02] W. Curtis Preston: Yeah, he is. Yeah, he is. Um, I remember the first time I had to do a, a large restore. And by the way, it didn’t work. That’s why I, that’s why I do. That’s why I do what I do is I had that large restore and, uh, it didn’t work Paris. That was the name of the server. I still remember it. Uh, the pain, the pain is still strong, Stephen.

Um, so I like what you did there. So this, this last one here, 93. Percent claim to have fully automated. This is the one that I had, the hardest difficulty swallowing, 93% claim to have fully automated or partially automated recovery tools to find the correct recovery point. Yet the inability to determine the correct recovery point was cited as the number one reason for data loss and then moreover corrupted backups were the number two reason for data loss.

Mind you remember the ransomware folks are going back. They’re going after the backups as well. Right? So if the backups are corrupted and you can’t, you can’t use them to recover. So if ha so half have been attacked, anybody can be attacked. We’re gonna, we’re gonna let you slide on the attack. Half of them lost data.

67% paid the ransom, and yet 93% are claiming to have fully automated systems to deal with this. I, I don’t, I, I, I just don’t know what to, to say about that.

[00:14:39] Stephen Manley: Uh, you know, I, I, I liken it to when I was younger. I remember we, we were looking at buying a tool. I forget what it was. It was, it was a security tool and we’re getting a demo and. This looked like the coolest, easiest tool that you would ever want to use, right? Just, you know, the, the person running it, the SEs, boom, boom, boom.

Here’s how you recover. Here’s how you detect you set up your, you set up your plans. This is just completely automated end to end. This is like the beginning of the SOAR revolution kind of thing. And, and I walked away and I was like, we’ve gotta have this tool. Cause this tool solves all my problems. So we bring the tool in house.

Luckily, you know, CISO was smart enough to say, let’s do a POC as opposed to just buying it. Cause I would just buy it. Um, we couldn’t figure out how to use it because it turns out things look a lot better when you watch someone else running it than when you have to run it yourself. And, and I’ve met a number of customers like, no, no, it’s fully automated.

Like I’ve seen, I’ve seen the demos. I’ve seen the webinar, like, all right, show me.

I’m not sure where to click and that’s the point. And that’s why he said you’re now, depending on that person, you hired two weeks ago to know exactly where to click. They’re probably not gonna get it right.

[00:15:59] W. Curtis Preston: Yeah. And you, you know, the, you, you can never automate everything, but you automate as much as you possibly can. And. The thing is, you know, test, test, test, test, um, and you, you have to do, I remember when, when I worked at the bank, uh, a hundred years ago, we did a, a Dr. Te a Dr. Test, as I make quotes in the air, um, twice a year, and a Dr.

Test meant we picked a handful of systems and we restored those systems. Because this was pre VMs. This was pre-cloud a full recovery would’ve cost millions of dollars.

[00:16:41] Stephen Manley: Right.

[00:16:43] W. Curtis Preston: So we picked a handful of systems and we did that. Um, but that was, that was then this is now. Now you can do a full recovery.

You really can. You can do a full recovery of your entire environment and. And you can test it and you can automate it as much as possible, and you can run that and you can, you can look for the challenges where you make things better. Here’s where we needed to know these pieces of information.

And those pieces of information might not be available in a true disaster or in a ransomware attack. Um, I would just, I mean, Going back to that muscle memory, right? You, when you’re doing things that are critical, I, I think of like, um, the training that soldiers go through because they don’t have time to think when they’re in the battlefield, they train to the point they train under stress.

They train under what sounds like live fire. Right. They train so that when they go on the battlefield, this isn’t the first time they’ve heard, they’ve heard a weapon fired in anger, right. um, you’ve got to simulate that if you’re doing well, first off, you gotta be doing testing and clearly a lot of people aren’t doing testing.

Second, you’ve got to, as much as you can simulate real conditions, this isn’t a pizza party.

[00:18:11] Stephen Manley: Right.

[00:18:12] W. Curtis Preston: right. This, this is a hail Mary party.

[00:18:16] Stephen Manley: Yeah,

[00:18:16] W. Curtis Preston: um, I, I don’t know any, you know, your thoughts on that.

[00:18:20] Stephen Manley: I, yeah. I mean, I’d, I’d probably double down too on first. Look, if you’re out there and you’re in an organization and you’re thinking to yourself, man, I’m really worried. First you’re not alone. And second, you probably should be based on these numbers. If you’re patting yourself on the back and saying I’m not worried at all, you’re probably wrong.

Uh, so, so then the, the second thing I’d say is, you know, this really to double down on what Curtis said, this really is one of those where you’re not just gonna buy a tool and get yourself out of it. This isn’t a, you know, I’m, I’m, I’m gonna get product X, product X solves everything because. Realistically ransomware protection and ransomware recovery, as much as even we at Druva, you know, software is a service and, and we, we do the protection for you and we do all those even, you know, we’re still part of a larger ecosystem that you’re going to use to be able to.

You know, detect and recover and respond to a ransomware attack. And so you’re gonna need to test, test, test, but you’re also gonna need to work cross functionally because most organizations right now are not set up to handle a cyber threat because your security team doesn’t necessarily talk to your production team who doesn’t necessarily talk to your data.

You know, data protection, backup team. You’ve gotta start finding ways to reach across, or you’re gonna end up one of these statistics. This stuff is hard. you don’t write a check and walk away. You write a check, that’s the beginning, but then you’ve got a whole lot of work and you wanna find someone that’s gonna partner with you.

That’s gonna be honest about that. If someone comes selling you snake oil, it’s snake oil.

[00:20:00] W. Curtis Preston: Yeah, I, I think that’s, that’s a really good point, Stephen. Uh, so I wanna refer people to this white paper. Uh I’m I’m sure we’ll make it available in the show notes. And, uh, it’s available for download from the Druva website. There are a lot of other interesting stats in here. I think one of them that I just found, so 75% of those that were infected were reinfected

21%.

Several. Re infections, uh, like after going through all of that, you know, um, by the way, a good way to make sure you get reinfected, pay the ransom, uh, cuz you know, you you’ve basically put a target on your back. Uh, so you know, I, this is, as you said, this is a. Difficult subject to talk about, um, take a look at the survey.

It’s a solid survey with 500 people across different countries and different company sizes. And I, I think you’ll, I think you’ll find it, uh, illuminating. So, uh, thanks for chatting about us, Stephen.

[00:21:01] Stephen Manley: Uh, absolutely. Everybody read the paper. And again, if you’re working with your boss, use the paper to show your boss. It’s not just you that’s freaked out. Everybody is.

[00:21:11] W. Curtis Preston: All right. And thanks to the listeners and remember to subscribe so that you don’t miss an episode. And remember here at Druva there’s no hardware required.