
Less than one fifth of companies who pay a ransom demand to their attackers have successfully been able to retrieve all of their data after the transaction, a new survey by Hiscox reveals.
While business owners may think that paying a ransom is a sound solution for overcoming a cyberattack, the opposite holds true, Hiscox says.
In fact, only 18% of businesses have successfully recovered all of their data, according to the global cybersecurity insurance specialist.
The numbers are part of the insurer's annual 2024 Cyber Readiness Report, which also shows that 1 out of 10 businesses who pay a ransom demand have discovered their data was leaked anyway, despite their payment.
Companies oftentimes fork over hundreds of thousands of dollars to shadowy ransomware cartels in an effort to keep their customer data safe, but in the end, “paying up rarely pays off,” Hiscox said.
Other top reasons major enterprises and small businesses have chosen to pay off their attackers over the past year were “to protect their reputation and to recover their data because they did not have any back-ups.”

The survey of over 2,100 cybersecurity professionals across eight countries, including over 400 in the US and UK alone, shows that after a publicly acknowledged cyberattack, 47% of businesses struggle to attract new clients due to reputational damage. Another combined 64% say their firm had lost customers and/or business partners in the aftermath of an attack.
“Hackers are holding reputations to ransom – and no business is too small to be at risk,” said Alana Muir, Head of Cyber at Hiscox UK.
Cyber threats and the reputational damage they can cause pose a greater risk to organizations than finding skilled workers and even bankruptcy, according to the survey.
Combined with the fact that nearly 70% of US companies have reported an increase in attacks from 2023 to 2024, companies and their leadership are paying attention.
With the average business hit with over 60 “cyber incidents” each year – the equivalent of one per week – the data found that cyberattacks were “as regular as weekly leadership emails,” Hiscox said. For larger companies, those numbers were even higher at over 100 per year.

Vulnerabilities need to be addressed
“When sensitive data is compromised, customer trust erodes, business is lost, and brand image suffers, said Eddie Lamb, Chief Information and Security Officer at the Hiscox Group.
Lamb further explained that, even worse, “inadequate cybersecurity can deter potential partners and investors while attracting regulatory scrutiny. This can trigger a ripple effect that impacts revenue and growth.”

The insurer says there are three ways businesses can increase their security stance.
The first is to raise security awareness among employees to combat phishing attacks, which still account for nearly 60% of attacks, the survey showed.
Companies also need to have strict employee policies in place regarding personal device usage, which contributed to nearly 40% of attacks.
“Despite phishing emails being a nearly everyday occurrence and our increasing familiarity with the threat, the threat is showing no sign of stopping, ”said Mike Maletsky, Head of Technology & Cyber at Hiscox USA.
Maletsky says one of the best ways to fight back is through regular employee training.
“For every year that employees aren’t trained on the latest cyber risks, technology develops, and cybercriminals can take two steps ahead,” he added.
The survey showed that a strong cyber employee training program can practically cut a company's rate of attacks by over 40%.
The second step businesses can take is to finally retire legacy and outdated technology, which contributes to nearly 50% of a company’s cyber risk.
Finally, companies need to consistently backup their data to ensure that if hit with a ransomware attack, they can restore data quickly, reducing any operational downtime.
“Businesses that opted to pay ransoms did so because 35% lacked adequate data backups and were unable to restore their data,” Hiscox said.
Your email address will not be published. Required fields are markedmarked