Poor cybersecurity hygiene is widely considered to be a major influencing factor for exposure to a ransomware attack. But is that an accurate assessment?
In a new study, RiskRecon, a security best practices specialist, investigated 600+ cyber hijacks to determine if companies victimized by a “detonation” had poor cybersecurity hygiene at the time and which factors, such as web encryption, application security and email security, are key gaps in coverage.
The answer: Cybersecurity hygiene does in fact play a large role in an organization’s vulnerability to a ransomware attack. RiskRecon analyzed the cybersecurity hygiene on the day of ransomware incident for 622 organizations spanning 633 ransomware events occurring between 2017 and 2021. Based on a comparison population of cybersecurity ratings and assessments of some 100,000 entities, companies that have very poor cybersecurity hygiene in their internet-facing systems (a ‘D’ or ‘F’ RiskRecon rating) have about a 40 times higher rate of destructive ransomware events as compared to those with clean cybersecurity hygiene, wrote RiskRecon founder Kelly White in a blog post. Only .03 percent of ‘A-rated’ companies were victims of a destructive ransomware attack, compared with 1.08 percent of ‘D-rated’ and 0.91 percent of ‘F-rated’ companies.
“The cybersecurity conditions underlying the RiskRecon rating reveal just how poor the cybersecurity hygiene is of companies, on average, that fall victim to a material system-encrypting ransomware attack,” White said. For example, ransomware victims have an average of 11 material software vulnerabilities in their internet-facing systems, in comparison with only one issue in the general population. Looking at network services that criminals commonly exploit, ransomware victims expose 3.3 times more unsafe network services to the internet than the general population.
Here are some additional vulnerability-related data in internet-facing systems cyber hijackers can exploit:
- Software patching. 58% of victims had critical issues, 11 average issue count.
- Unsafe network services. 33% of victims had critical issues, 5 average issue count.
- Application security issues. 55% of victims had critical issues, 9 average issue count.
- Web encryption issues. 74% of victims had critical issues, 46 average issue count.
- Email security. 68% of victims had critical issues, 11 average issue count.
“While the cybersecurity hygiene issues RiskRecon observes through its passive analytics of Internet-facing systems and accessible signals may not be the exact vectors the criminals exploited to compromise each victim organization, their presence is a strong indicator that these organizations, on average, do not have robust cybersecurity risk management programs,” White said.