Phishing, poor user practices and lack of end user security training are main causes of successful ransomware attacks, as cost of related downtime increases nearly 600% in just two years
Last summer, when Datto asked managed service providers (MSPs) across the US, Europe and Asia Pacific to list their main priorities for 2021, data security came near the top – client cyber security was also the thing most likely to keep them awake at night1.
Datto’s fifth annual Global State of the Channel Ransomware Report, published in November, highlights not just why it is so important for MSPs to secure their clients’ data, but also why they must give them the means to recover quickly from any breach.
It identifies the huge opportunity that exists for MSPs to capitalise on growing expenditure by clients who recognise the importance of data security and investment in this area.
The Covid effect
Before considering the report in more detail, it is worth pointing out that the online survey of more than 1,000 MSPs on which it is based was conducted in August 2020, in the midst of the coronavirus pandemic. This has inevitably influenced results and thrown up some unexpected findings at odds with recent trends.
Some of these are likely to be temporary, like the fall in the number of MSPs that cite ransomware as the most common malware threat (down to 70%, from 85% in 2019) and a reduction in the number of MSPs with SMB clients that have experienced a ransomware attack in the last two years (down to 78%, from 85% in 2019).
Both of these trends can be partially explained by the switch by hackers from opportunistic mass phishing campaigns to more targeted ransomware attacks against organisations that have been made vulnerable by the pandemic and are more likely to pay a ransom, because they have a critical need to continue to operate.
This year, in a break with previous surveys, the organisations MSPs consider most susceptible to ransomware are not in the professional services and manufacturing sectors, but in healthcare (cited by 60%), finance/insurance (50%) and Government (45%), all of which have been put under stress by Covid-19.
Some of the changes brought on by the pandemic are expected to be short-lived. For example, 92% of MSPs predict no further drop-off in ransomware attacks and a probable increase in incidents as countries emerge from the pandemic.
Others look more permanent, notably the transition to cloud, which has been accelerated by the move to Work from Home and is likely to remain central to business operations in the future. Hackers have been quick to exploit the opportunities this presents, with nearly one in four MSPs reporting ransomware attacks on client SaaS applications including Microsoft 365, Dropbox and Google Workspace.
More than half (59%) of MSPs said remote work due to COVID-19 has resulted n increased ransomware attacks, with 52% pointing out that shifting client workloads to the cloud had increased security vulnerabilities.
It is also worth noting geographical variations, such as the higher number of reported ransomware attacks in Europe than North America and Asia Pac (85% vs. 77% and 79% respectively) and, perhaps tellingly, a more relaxed attitude to ransomware in Europe, with just 19% of MSPs in Europe describing their SMB clients as ‘very concerned’ about ransomware, compared to 31% in North America and 33% in Asia Pacific.
These suggest that Europe is about one year behind the curve in terms of ransomware awareness and resilience.
With these caveats in mind, what are the key trends highlighted by the report?
1. Ransomware is still the number one malware threat.
It will come as no surprise to MSPs that ransomware continues to be the number one malware threat facing SMBs, cited by 70% of MSPs, ahead of other threats from viruses to keyloggers (see box 1).
2. MSPs are also at risk.
Ransomware is not just an end user issue: 95% of MSPs say that their own businesses are increasingly being targeted by hackers seeking to infect their clients’ systems.
3. SMBs need to take ransomware more seriously.
While 84% of MSPs believe SMBs should be ‘very concerned’ about ransomware, just 30% say their clients feel the same way. Roughly the same number say their clients are either ‘moderately concerned’ (32%) or ‘somewhat concerned’ (34%).
4. IT security budgets have increased – for some.
One in two MSPs say clients increased their IT security budget in 2020. While that is encouraging, MSPs will need to consider how they engage with those clients that have not increased expenditure.
5. End users are the weakest link. MSPs must persuade clients of the need for mandatory employee security training, as phishing emails continue to be the main source of ransomware attacks, cited by 54% of MSPs, followed by poor user practices, including weak passwords (see box 2). Lack of cyber training (26%) is seen as a much greater vulnerability than lack of funding for IT security solutions (8%).
6. The cost of downtime from ransomware has increased 50x in two years.
The average ransom demand fell to $5,600 in 2020, which is just 30% higher than the 2018 figure. Yet, the cost of downtime from a successful attack has sky-rocketed over the same period, from $46,800 to $274,200 – an increase of almost 600%. This figure is made up of a number of factors, including the cost of reduced productivity (62%), business threatening downtime (39%), lost data or devices (28%), lower profitability (24%) and the ransom demand itself (19%). One in twenty MSPs highlighted the risk of ransomware remaining on SMBs’ systems and striking again.
Justine Harris, Sales Director of UKI, Datto said: “For many MSPs, this will be the stand-out finding of this year’s report. Whether the massive hike in costs is down to MSPs getting better at calculating the true cost of business downtime, using tools like Datto’s Recovery Time and Downtime Cost Calculator, or whether it reflects the scale and sophistication of modern attacks that crawl across business networks looking for other computers, servers and even SaaS applications to infect, this compelling statistic clearly demonstrates the value of investing in a business continuity and disaster recovery (BCDR) solution that enable SMBs to return to normal operations as quickly as possible.”
Harris added: “It is significant that nine out of 10 MSPs surveyed said that clients with BCDR solutions in place are less likely to experience significant downtime during a ransomware attack.”
The power of partnerships
The challenge facing many MSPs is how to meet the client requirement for data security on-premise, in the cloud and across distributed workforces, when they themselves might have limited expertise in this complex and fast changing area.
Top 10 malware threats
*Remote access trojans (19%)Top 10 causes of ransomware
*Cryptojacking (16% – down from 31% last year)
*Exploit kits (11%)
One option that more and more are turning to is partnerships. Almost half (46%) of MSPs surveyed are already partnering with managed security service providers (MSSPs) to boost cyber security/ransomware preparedness (54%); to reduce the cyber risk faced by their own businesses (47%); to gain a better understanding of security technologies (45%); to increase sales of cyber security solutions (45%); to educate their own staff through experience and exposure (35%); to provide a pathway for their transformation into an MSSP (23%); and to share cyber risk with another organisation (22%).
Another possibility is to partner with a vendor like Datto. Its flagship Unified Continuity solution for MSPs provides a comprehensive set of data protection and BCDR tools including cloud backup and disaster recovery powered by Datto’s private cloud; ransomware detection and recovery; restore options for any scenario; and protection for servers, files, PCs and SaaS applications – all backed up with expert, single vendor 24x7x365 support.
Individual elements meet a range of clients needs, among them:
*SIRIS – an all-in-one BCDR solution that enables normal business operations to be restored in minutes with verified backups, local and cloud virtualisation, and flexible restore options, all managed from a single pane of glass. SIRIS can be deployed as an appliance, a virtual appliance or as software-only to protect any physical, virtual, or cloud infrastructure running on Windows, Mac, or Linux. Backups are tested, scanned for ransomware, stored locally, and replicated to Datto’s cloud for as long as required;
*ALTO – a plug and play, all-in-one BCDR solution for small environments, which offers the backup and recovery capabilities of SIRIS with cloud virtualisation—local failover is not available on ALTO;
*SaaS Protection – for reliable and secure cloud-to-cloud backup and recovery for Microsoft 365 and Google Workspace (formerly G Suite), with one-click restore of emails, Calendar appointments, Conversations, Contacts, files, and Sites lost due to human error or encrypted by ransomware.
*Cloud Continuity for PCs – Datto’s BCDR solution for Windows 7/Windows 10 PCs and laptops protects devices against ransomware, accidental deletion, hardware failure, theft, and other common causes of data loss. It offers appliance-free backup directly to the cloud and point-in-time rollback and restore of files, folders, applications and system configuration. MSPs can manage multiple clients and streamline deployment remotely via the Datto Partner Portal.
Justine Harris, Sales Director of UKI, Datto said: “Ransomware attacks might have declined slightly last year, but as Datto’s fifth annual Global State of the Channel Ransomware Report makes clear, the cost of downtime has increased massively. To counter the risk posed by phishing emails that can avoid detection by traditional security solutions, businesses need to implement a multi-layered approach, encompassing a range of different technologies, foremost among them a robust BCDR solution to keep data safe and ensure a rapid recovery from any breach.”
Top 10 causes of ransomware
*Phishing emails (54%)
*Poor user practices/gullibility (27%)
*Lack of cyber security training (26%)
*Weak passwords/access management (21%)
*Open RDP access (20%) – spike caused by WFH and subsided when more robust remote access solutions were put in place
*Malicious websites (14%)
*Lost/stolen user credentials (10%)
*Lack of funding for IT security solutions (8%)
*Lack of executive buy-in for adopting security solutions (8%)