Cyberattacks Compel Companies to Pay Ransoms, Breaking their ‘Do Not Pay’ Policies

A study conducted by Cohesity indicates that prevalent cyberattacks are compelling a majority of companies to pay ransoms and disregard their ‘do not pay’ policies. The research, based on responses from over 900 IT and Security decision-makers, underscores the prevailing notion that companies are operating in an environment where cyberattacks are not a matter of ‘if’ but ‘when.’ Notably, a significant portion of surveyed companies has paid ransoms in the past two years, and the majority anticipates a substantial increase in the threat of cyberattacks in 2024 compared to 2023. The situation is exacerbated by deficiencies in data recovery capabilities.

Alarmingly, close to 8 in 10 (79%) respondents said their company had been the ‘victim of a ransomware attack’ between June and December. The cyber threat landscape is expected to get even worse in 2024, with 96% of respondents saying the threat of cyberattacks to their industry will increase this year and over 7 in 10 (71%) predicting it will increase by more than 50%.

Organizations’ attack surfaces are informed by the size and scope of their data environments. However, 78% of respondents said their data security risk has now increased faster than the growth in the data they manage. Respondents also believe organizations’ cyber resilience and data security strategies are not keeping up with the current threat landscape, with just 21% having full confidence in their company’s cyber resilience strategy and its ability to ‘address today’s escalating cyber challenges and threats’.(1)

Slow Data Recovery & Lack of Cyber Resilience Results Ransom Payments

Cyber resilience is the technology backbone for business continuity. It defines companies’ ability to recover their data and restore business processes when they suffer a cyberattack or adverse IT event. However, according to respondents, every company has cyber resilience and business continuity challenges:

  • All respondents said they need over 24 hours to recover data and restore business processes
  • Just 7% said their company could recover data and restore business processes within 1-3 days
  • 35% said they could recover and restore in 4 to 6 days, while 34% need 1-2 weeks
  • Alarmingly, almost 1 in 4 (23%) need over 3 weeks to recover data and restore business processes

Further demonstrating cyber resilience gaps, just 12% said their company had stress-tested their data security, data management, and data recovery processes or solutions in the six months prior to being surveyed, and 46% had not tested their processes or solutions in over 12 months.

Unsurprisingly, 94% of respondents said their company would pay a ransom to recover data and restore business processes, while 5% said ‘maybe, depending on the ransom amount.’ More than 2 in 3 (67%) said their company would be willing to pay over $3 million to recover data and restore business processes, with 35% of respondents saying their company would be willing to pay over $5 million. The research also showed the importance of being able to respond and recover, as 9 in 10 said their organization had paid a ransom in the prior two years, despite 84% saying their company had a ‘do not pay’ policy.

“Organizations can’t control the increasing volume, frequency, or sophistication of cyberattacks such as ransomware. What they can control is their cyber resilience, which is the ability to rapidly respond and recover from cyberattacks or IT failures by adopting modern data security capabilities,” said Brian Spanswick, chief information security officer and head of IT, Cohesity. “It is no surprise that the majority of companies have been hit by cyberattacks like ransomware. What is alarming is that 90% have paid a ransom, breaking their ‘do not pay’ policies, and most are willing to pay over $3 million in ransoms because they can’t recover their data and restore business processes or do so fast enough.”

Executive Management Should Be Accountable & Aligned

Respondents identified executive awareness and responsibility for data security as two areas for companies to improve, with just 35% saying their senior and executive management fully understands the ‘serious risks and daily challenges of protecting, securing, managing, backing up, and recovering data.’ Four in five said executive management (C-Level) and boards should share the responsibility for their company’s data security strategy, while 67% said their company’s CIO and CISO, in particular, could be better aligned.

Prioritizing their biggest concerns about a successful data breach or cyberattack, respondents selected brand and reputational damage (34%), a drop in share price / investment / profitability (31%), a direct hit to revenue (30%), and a loss of stakeholder trust (30%). When asked who is most impacted by a data breach or cyberattack, respondents said existing customers (29%), the Security team (29%), the IT team (28%), employees (28%), and their third-party partners (27%) were most impacted.

“Cyber resilience and data security should be a holistic organizational priority because the use of data and technology occurs in every function by every employee. The severe impact of a successful cyberattack or data breach on business continuity, revenue, brand reputation, and trust is enough to keep all business, IT, and Security leaders awake at night,” said Sanjay Poonen, CEO and president of Cohesity. “To rapidly respond to cyberattacks, organizations need modern AI-powered data security and management solutions that protect their data, detect when it is under attack, and recover it as fast as possible to restore their business processes.”

Regulation Isn’t Driving Companies’ Cyber Resilience & Data Security Best Practices

Despite governments and public institutions going to great lengths to encourage stronger cybersecurity and data management, only 46% of respondents said government initiatives, legislation, and regulations are actually driving their companies’ data security, data management, or data recovery initiatives. Of these respondents that said specific government initiatives, legislation, and regulations are driving their data security, management, and recovery approaches, 2 in 3 named these as the most influential:

United States:

  1. California Consumer Privacy Act
    Federal Trade Commission Act of 1914
  2. Department of Defense’s Cyber Security Maturity Model Certification (CMMC)
    Digital Millennium Copyright Act of 1998 (DMCA)
    Sarbanes-Oxley Act of 2002
  3. California Privacy Rights Act of 2020 (CPRA)


  1. Privacy Act 1988
  2. Digital Transformation Agency Guidelines
  3. Office of the Australian Information Commissioner’s Notifiable Data Breach (NDB) Scheme

United Kingdom:

  1. National Data Strategy (NDS)
  2. Consumer Data Right (CDR)
  3. Data Protection Act 2018
    UK Cloud Security Principles

“It may seem surprising that 54% say government efforts and policies aren’t driving their companies’ data security, management, and recovery initiatives. However, organizations should not be centering their entire data security, risk, management, or recovery strategy around a set standard or compliance framework,” said Spanswick. “Organizations should certainly adhere to legislation, regulation, and standards, but these should be seen as the floor and not the ceiling. The security risks to a company’s data and operations should be what drives their data management, security, and recovery practices.”

About the survey:
The findings are based on a survey of 902 IT and Security decision-makers (split as close to 50:50 as possible) commissioned by Cohesity and conducted by Censuswide. Survey respondents were polled from businesses in Australia, the United Kingdom, and the United States. The top five industries selected by respondents as best representing the industry their company operates in were: IT & Telecommunications, Finance, Healthcare, Finance, HR, and Manufacturing & Utilities.

Learn how to reduce the threat of cyberattacks with Cohesity’s intelligent data security and management solutions.

Related News:

Cohesity DataProtect Integration with Microsoft 365 Brings Enhanced Security

Cyber Resilience and Data Recovery are Lacking According to Cohesity Research

1Respondents were provided with the NIST definition of cyber resiliency at the start of the survey: “The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. Cyber resiliency is intended to enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment.”


About Author

Taylor Graham, marketing grad with an inner nature to be a perpetual researchist, currently all things IT. Personally and professionally, Taylor is one to know with her tenacity and encouraging spirit. When not working you can find her spending time with friends and family.