There has been a sharp decline in ransomware payouts, with only 11% of companies admitting to paying demands, which has been attributed to increased investment in backup and recovery technologies.

These were among the results of a Kaseya survey of IT security professionals, which also found supply chain attacks have dropped significantly, from 61% of organizations in 2023 to just 19% in 2024.

Cybersecurity maturity in general appears to be on the rise, with NIST (40%) and zero-trust (36%) frameworks among the most widely adopted.

Companies are implementing a variety of solutions, including antivirus software (87%), email protection (79%) and file backup (70%).

Despite this, follow-through remains a concern, as only 37% of organizations conduct regular drills to test incident response plans, down from 46% last year.

Pentesting has also become a key strategy, with more than two-thirds of companies performing tests at least twice yearly.
However, cost, budget limitations (58%), and resource constraints (18%) are major challenges.

Chris McKie, Kaseya’s vice president of product marketing for networking, security and risk management solutions, said the ideal solution to addressing user concerns is to build a culture of security.

“This incorporates a myriad of actions, including cybersecurity awareness training,” he explained.

He added cultural change includes top-down support, positive reinforcement and educating employees about the consequences – not just the risks – of what happens if the company is hit with ransomware or stolen credentials.

Cyber Insurance Growth, IT Budgets Stable

The rise in cyberattacks has also led to increased adoption of cyber insurance, with coverage growing from 27% in 2023 to 61% this year.

McKie explained many cyber insurance policies now require organizations to implement a broad array of security solutions, such as EDR and MDR, as well as proof of security awareness training, and a cybersecurity framework.

“As a result, businesses are investing more in their cybersecurity infrastructure and posture because insurance mandates it,” he said.

The survey also revealed IT budgets remain stable, with 80% of respondents expecting budgets to stay the same or grow.

Priorities include investments in cloud security (33%), automated pentesting (27%), and security awareness training (26%).

“We are definitely seeing an increase in cybersecurity framework adoption, with many using NIST, CIS, and CMMC,” McKie said. “Zero-trust is gaining popularity as an add-on to complement existing cybersecurity frameworks.”

From his perspective, where this makes a difference is locking down access to cloud and network resources.

“Because so many of today’s workloads and business-critical apps are cloud-based, it is essential to ensure access is granted only to the appropriate user and verified device before access is given,” he said.

A major concern remains user-related security issues, with 80% of organizations citing poor practices and a lack of training. Phishing (58%) and malware (44%) were the most reported threats.

While AI is seen as a potential tool for enhanced security, its role is debated, as one-third of IT professionals remain uncertain about its effectiveness.

McKie said the lack of incident response planning is one of the biggest cybersecurity gaps that most companies face.

“Conversely, this represents a huge opportunity for MSPs because they can easily fulfill this need by regularly conducting security vulnerability assessments, table-top exercises and automated pentesting,” he said.

For internal IT professionals, it comes back to building a culture of security.

“Getting management buy-in to conduct regular assessments, or participate in table-top exercises should be on the top of any list of things to implement for 2025,” McKie said.