Executives of small organizations are often not sufficiently familiar with ransomware. The WODC (Research and Documentation Centre) in the Netherlands claims that this prevents them from properly assessing the risks. The WODC advocates for an educational campaign.
The WODC conducted research on the impact of ransomware attacks on Dutch businesses. The research center also looked at the course and attack vector of a ransomware infection. An important conclusion is that ICT practitioners in an organization are usually well aware of both the risks and consequences of ransomware infections, but company executives much less so. According to the WODC, the concerns of employees with expertise “are not adequately conveyed to the administration”. This mainly involves small and medium-sized businesses, since large organizations “often tend to have their affairs in order in this field and because they often operate in a very specific context,” the WODC wrote.
According to the researchers, only 30 percent of corporate executives see cyber crime as a major risk to the organization. ICT service providers are in large part “very concerned” about ransomware, but among customers, only 20 percent are said to feel that way. “This results in a structural lack of resources to ward off ransomware attacks,” the WODC writes. In fact, not enough attention is said to be paid to basic measures.
In the report, the WODC calls for an awareness campaign. It is supposed to contain “confrontational facts”. The researchers cite examples of businesses that became victims of ransomware, with an emphasis on the cost and time of a recovery operation. Similarly, attention should be paid to potential fines from the Personal Data Authority (Autoriteit Persoonsgegevens) if it turns out that companies did not have personal data security in place properly, for example.
The researchers suggest deliberately framing the campaign as “a business case approach”. Cyber security can thus be portrayed not just as a cost, but rather as a benefit to customers and to the stability of the company. “If that business case illustrates how an investment of one euro can stop an attack that would cost the organization ten euros, corporate executives are often quickly convinced,” the researchers write.