A detailed survey of medium to large firms with more than 250 employees found that almost two-thirds (61 percent) had admitted to being successfully hit by a ransom attack.
Of those, more than half (57 per cent) agreed to pay ransoms in the hope of having sensitive data taken hostage by cyber criminals released.
Despite Chief Financial Officers (CFOs) stating that their companies had set aside an average of £760,000 for ransom payments of the 114 firms who paid, 67 handed over between £1m-£10m to the criminals.
And most found that paying crippling ransoms proved to offer no guarantee.
Fewer than a third – 32 percent – had all their data returned and were subsequently left alone; 38 per cent went on to receive further demands and a further 30 per cent received just some of their data back.
Eight firms (7 percent) were left with nothing at all to show for the ransom they paid.
“This study was UK-specific, but the issue is certainly not limited to Britain,” said Heather Bellini. CFO of US cyber firm Deep Instinct which commissioned the research.
“The number of those companies who were breached, and the number who paid ransoms, may well surprise members of the public at large. It doesn’t surprise me, however.
“We all share the same backdrop of post pandemic behaviour; the same level of breaches going up exponentially. And we’ve seen a huge uptick in what is coming out of Russia.
“This is the way of life now. It’s not going to change and companies need to take more affirmative action.”
Of the 201 medium to large firms surveyed, 113 (57 per cent) said they had suffered a ransomware attack of which 63 firms (56 per cent) paid that ransom.
Of those 63 firms which did stump up the cash, only three (4 per cent) got away with paying less than £500,000, while 18 companies paid between £500K – £1m.
The remainder were forced to hand over considerably more: 23 firms (36 per cent) paid up to £5m, nine (15 percent) paid up to £10m and a further four firms paid even more.
But the report, entitled Dangerous Disconnects, found one avenue where firms could take a more robust stand: involving CFOs and finance directors more closely in cyber planning, said Ms Bellini, formerly of Goldman Sachs investment bank.
While most CEOs claim their companies are well-prepared, only 14 percent of CFOs interviewed during a lengthy 45-minute process-whose job it is to deal with the financial fall-out of ransom payment-shared that confidence because so few (12 per cent) were included in the process.
“The perception is that it is the SMEs – small enterprises – which are most vulnerable. But many large companies are an amalgamation of many others, with different systems running in parallel which gives them a complicated architecture,“ said Ms Bellini.
“If a CFO isn’t being properly briefed, they may simply not choose to fund projects that should be funded. They may not have the right ransomware insurance; they may not appreciate that this is a permanent risk. Everyone needs to be on the same page.”
She added: “Cyber attacks increase the cost of business. If you are getting breached, and paying ransoms, you may begin by taking it out of the shareholders’ pocket, but at some point, you’re going to have to change what you’re charging customers. And that’s something all companies want to avoid.”