How a Donut Shop Exposes That Businesses Are Still Paying Ransom Despite “Do Not Pay” Policies

No one likes to be in a confined space. Believe me, I don’t. I had a first-hand experience when I was about 12 years old, being one of the 20 people stranded in a monorail-went-kaput incident in Melaka, about 14 years ago. When I was invited to a “cybersecurity escape room” event last week in Singapore, my anxiety level went a little over the roof. Imagine me, in a confined space, with the clocks ticking?! – definitely not good for my blood pressure level!

The Ransomware Resilience Workshop organised by Cohesity, was a 2-hour immersive workshop designed to mimic a real-time ransomware attack scenario. Participants – who are media from Malaysia and Singapore – were tasked to take on the differing role of C-level executive at the helm of a fictional company’s “mission control.”

The objective of us as the participants? To minimise the business impact as the attack occurs and develop a comprehensive strategy for recovery and future prevention.  Supported by a team of Cohesity’s data security experts, participants departed with a practical ‘Resilience Roadmap’ to begin safeguarding data, detecting threats, and swiftly recovering their business from a ransomware attack.

Well, lucky for me though, the event wasn’t in a compact-like escape room but rather, a meeting room. But the pressure was still there. Tasked as the head of PR for a make-believe doughnut company called Dan’s Doughnuts, my main objective is to release a press statement and develop a damage control strategy to protect the company’s reputation and hopefully, keep their customers coming back for more delicious treats.

The organisation that was attacking my beloved doughnut company is a fictitious adversary known as “Monti Group,” a threat actor that is based, you guessed it, in Russia. With the clocks ticking out, our team, which consists of the CEO, CISO, CIO, Legal Administrator and of course me, the head of PR, have to have a mature, diplomatic, discussion on if we are going to pay the ransom or are we going to stone-cold reject any form of payment to the attacker. whether or not we had any arguments, well, that is confidential…

But the great thing is, there was no right or wrong answer. Each reply that we sent to Igor – the spokesperson for Monti Group – has its own consequences which will either lead us to halt our operations for 33 weeks or go to jail.

It was a great experience as it forced me to think on my feet and consider the complex PR nightmare a ransomware attack could unleash. The pressure was intense, but ultimately, collaborating with my fellow “C-level” participants helped us develop a comprehensive damage control strategy that prioritised customer safety and brand reputation. It was fun, but also a nerve-wracking and eye-opening experience that definitely made me appreciate the importance of cyber resilience and having a solid plan in place before disaster strikes.

Singapore and Malaysia are Still Paying Ransom

So, why did Cohesity take all the effort to organise this “workshop?”

Well, in an era where cyber attacks are inevitable, businesses in Singapore and Malaysia face unprecedented cybersecurity challenges. Research by Cohesity, an AI-powered data security and management company, reveals that most companies in these regions are paying ransoms due to their inability to recover data and restore business processes efficiently.

The study surveyed 504 IT and Security decision-makers across Singapore and Malaysia, revealing that 70% of organisations had fallen victim to ransomware in 2024. This includes 65% of Singaporean and 77% of Malaysian respondents. Furthermore, nearly all respondents anticipate an increase in cyber threats in 2024, with 91% in Singapore and 97% in Malaysia predicting a surge in cyber attacks.

The cyber threat landscape is expected to worsen, with almost half of the respondents predicting a more than 50% increase in cyber threats this year. This underscores the need for robust cyber resilience and data security strategies. However, 41% of respondents admitted they lack complete confidence in their company’s ability to address escalating cyber challenges and threats.

Over 90% of surveyed companies have stress-tested their data security, management, and recovery processes in the past year, with 56% of Singaporean and 67% of Malaysian organisations conducting tests in the last six months. Despite these efforts, significant gaps in cyber resilience persist.

Disparity Between Recovery Goals and Reality

Cyber resilience, the backbone of business continuity, defines a company’s ability to recover data and restore business processes following a cyber attack. Unfortunately, achieving this remains a formidable challenge. Only 3% of respondents can recover data and restore business processes within 24 hours, with Singapore faring slightly better at 5% compared to Malaysia’s 1%.

Most companies require longer recovery times:

• 24% need 1-3 days.
• 34% take 4-6 days.
• 25% need 1-2 weeks.

Alarmingly, 13% of respondents need over three weeks to recover data and restore business processes. These delays severely threaten business continuity and underscore the need for improved cyber resilience.

However, despite these lengthy recovery times, 97% of the respondents aim to recover data within a day – which is kind of a relief. However, this discrepancy still highlights a significant gap between desired and actual recovery capabilities. Over one-third (34%) of respondents target recovery within an hour, yet only 4% can tolerate more than 24 hours of disruption. In reality, 34% can tolerate 1-3 days, 53% accept 4-6 days, and 8% can endure over a week of downtime.

This mismatch between goals and capabilities forces companies to pay ransoms. Over 82% of respondents indicated their company would pay a ransom to recover data and restore business processes, with 59% in Singapore and 74% in Malaysia willing to pay over USD $1 million. Despite having a ‘do not pay’ policy, 69% admitted to paying ransoms in the past year.

Companies Break The “Do Not Pay” Policies

We all know that the financial burden of ransom payments is severely substantial. Of the 64% of Singaporean respondents who paid a ransom in the last year, 36% paid over USD $500,000, while 47% paid between USD $100,000 and USD $499,999. In Malaysia, 76% of respondents paid ransoms, with 27% paying over USD $500,000 and 54% paying between USD $100,000 and USD $499,999 – which bothers me a little as to why would you pay these amounts.

James Blake, Global Cyber Resilience Strategist at Cohesity however said that it is okay that you are hit by cyber attacks as it can actually happen to anyone but what surprises him the most is that these organisations are willing to pay ransom just to get things over with.

James, who is also the brain behind the simulated cybersecurity workshop, then emphasises the importance of enhancing cyber resilience to rapidly respond to and recover from cyber attacks. He notes that organisations must at all costs, adopt modern data security, response, and recovery capabilities rather than relying solely on protective controls.

Other Persistent Challenges

Singapore and Malaysia are both aware of the increased number of cyber attacks, however, despite increased regulation and legislation, zero-trust security and data privacy still remain a constant challenge. Over 40% of respondents believe their centralised visibility of critical data between IT and Security could be improved. Only 66% have deployed multi-factor authentication, 57% use quorum controls, and 55% implement role-based access control. Furthermore, only 56% possess the IT and security capabilities to comply with data privacy laws.

AI-based cyber attacks are also becoming increasingly common, with 80% of respondents encountering such threats in the past year. Despite these challenges, 89% believe they have the necessary AI-powered solutions to counter these attacks. This indicates a growing recognition of the importance of AI in bolstering cybersecurity defences.

In the end, James underscored that cyber resilience is non-negotiable due to the high motivation of attackers and the wide attack surfaces.

He believes that regulations are a necessary foundation for data security, but they should not be the ‘ceiling’ but instead a high ‘floor’ in developing cyber resilience and adopting data security best practices or capabilities.

If you really care about your businesses and want to protect your operations, reputation, and customer trust, I suggest you do what James suggested.