Ransomware attacks drive ZTNA adoption

SOPHOS

Organizations with recent direct experience of a ransomware attack have considerably higher adoption of zero trust network access (ZTNA) technology than those that haven’t fallen victim.

A study of 5,400 IT professionals has revealed a correlation between direct experience of ransomware and adoption of a zero trust approach.

Organizations that had experienced a ransomware attack in the previous year (defined as multiple devices being impacted but not necessarily encrypted) reporting considerably higher levels of awareness of the zero trust approach and were more advanced in their implementation of zero trust network access (ZTNA) solutions than those that hadn’t experienced an incident.

It is likely that these organizations’ direct experience of ransomware accelerated the implementation of a zero trust approach to help prevent future attacks.

The findings result from an independent survey of 5,400 IT professionals in organizations with between 100 and 5,000 employees that was conducted by research house Vanson Bourne on behalf of Sophos in 2021.

The role of ZTNA in preventing ransomware attacks

Breaching the victim’s network is one of the first steps in a ransomware attack. The rapid increase in remote working over the last two years has hugely increased the opportunity for attackers to exploit vulnerable VPN clients to get a foothold in an organization. Once inside, they are often free move laterally throughout the network, escalating privileges and progressing the attack.

By eliminating vulnerable VPN client software, granularly controlling access based on device health and identity, and micro-segmenting applications, ZTNA stops attackers from both breaching the organization and from moving around it, even if they obtain legitimate credentials.

[To learn more about the role of lateral movement in ransomware attacks, read the Sophos research report Windows Services Lay the Groundwork for a Midas Ransomware Attack that details how adversaries exploited remote services and access tools to hold a technology company to ransom.]

Finding one: Ransomware victims have much greater familiarity with the ZTNA approach

IT professionals in organizations that had been hit by ransomware in the previous year are almost 50% more likely be ‘very familiar’ with the ZTNA approach than those whose organizations hadn’t experienced an incident (59% vs 39%). This rises to 71% among those whose organizations had been hit and they paid the ransom.

Further illustrating this point, just 10% of ransomware victims have little or no familiarity with ZTNA, compared with 21% of those whose organization hasn’t fallen victim.

Finding two: Ransomware victims are more advanced in their adoption of the zero trust approach

One quarter (25%) of those whose organization experienced a ransomware attack in the previous year have already fully adopted a zero trust approach, rising to 40% of those whose organizations were hit and paid the ransom. In comparison, just one sixth (17%) of those that hadn’t experienced an attack have already fully migrated to this approach.

Finding three: Ransomware victims have different motivations for adopting a zero trust approach

Respondents were asked about their motivations for adopting a zero trust approach and, while there were several commonalities, there were also clear areas of difference.

  • To improve our overall cybersecurity posture’ was the most common motivator among both victims and non-victims
  • The second most common motivator among ransomware victims was the desire to ‘simplify our cybersecurity operations’ (43%), potentially reflecting that complex security had contributed to their previous attack
  • Ransomware victims are also heavily motivated by ‘supporting our move to increased use of the cloud’ (42%). This dropped to 30% amongst those that hadn’t experienced a recent attack
  • Similarly, ransomware victims were also much more likely to say that ‘to move from a CAPEX to an OPEX model´ was one of the main factors behind their zero trust approach adoption (27% vs. 16%, and rising to 34% among those that had been hit by ransomware and paid the ransom)

Finding four: The pandemic was more likely to positively impact the zero trust adoption plans of ransomware victims

For many organizations the pandemic had a positive impact on their plans for adopting a zero trust approach. For many, it created a need for zero trust that they didn’t have before. This is understandable: many companies and public bodies were previously wholly office-based and so didn’t have a need to provide secure remote access.

Half (50%) of ransomware victims and 36% of non-victims reported that the pandemic enabled them to move budget to adopting a zero trust approach, while many also reported that it enabled them to divert people and/or money from other activities to the move to zero trust.

The survey findings highlight that organizations that fell victim to ransomware and paid the ransom were most likely to experience a positive pandemic impact on their zero trust adoption. It seems that pain of the ransomware attack might have concentrated minds and resources on effectively mitigating a future incident.

Introducing Sophos Zero Trust Network Access (ZTNA)

Sophos ZTNA is a much more secure and easy-to-manage remote access solution that delivers a transparent, frictionless experience for end-users.

  • By removing the need for VPN clients, Sophos ZTNA reduces the attack surface, making it harder for ransomware actors to get on your network
  • Sophos ZTNA constantly checks user and device security, delivering continuous high-level of controls and preventing attackers from exploiting a previously authenticated user’s access
  • Granular access controls enable you to easily restrict access to specific resources to those who need them, preventing adversaries from moving laterally across your network
  • Sophos ZTNA uses the same agent as Sophos Intercept X endpoint protection, enabling customers to enhance their protection without adding device overhead
  • It is managed from the cloud-based Sophos Central platform, enabling customers to manage all their Sophos solutions via a single interface for enhanced day-to-day management and control

With the average cost of ransomware remediation now $1.85 million for small and mid-sized organizations, moving to secure remote access via Sophos ZTNA is a sensible investment.