Protect and secure your data from cyber attacks
Data Protection
Data Security
Data Insights
The 5 Steps to Cyber Resilience
Cloud & SaaS
Enterprise
Industries
Our recent study of 4,500 full-time office workers across EMEA found that nearly 1/3 had no cybersecurity training in the past year.
Global ransomware costs are projected to hit $57B annually in 2025, rising to $275B by 2031, according to a report by Cybersecurity Ventures. Why are the numbers still increasing so dramatically, especially when most global organisations know about the scale, cost, and complexity of the challenge?
At Cohesity, we set out to better understand this question. Our recent study of 4,500 full-time office workers across EMEA uncovered a key part of the answer. While many employees understand the business risk of cyberattacks and the concept of ransomware, there remains a sizeable minority that simply don’t understand the risks that their actions (or lack thereof) contribute to their organisation's overall cyber resilience posture.
Too often, employees are not only unable to identify the clear indicators of a ransomware attack, but some have never even heard of the term. Cybersecurity training may have gone over their heads, or they haven’t had any at all. And when they fall for a cyberattack, they delay admitting fault—giving attackers more time to penetrate critical datasets and repositories, slowing down their organisation’s response time and increasing the long-term damage.
The good news? With cyberattacks featured almost daily in news headlines, organisations have woken up to the importance of cybersecurity training. Most businesses are training their staff. Today’s findings reveal that it’s now about focusing on the weakest parts of the chain: the staff members who don’t yet see the full picture.
So, let’s take a closer look at what the research tells us—and what businesses can do to strengthen their cyber resilience and avoid becoming part of the $275 billion statistic by 2031.
Our research, conducted by OnePoll across France, Germany, the UAE, and the UK, reveals a worrying gap in cyber resilience. While 68% of surveyed employees across Europe received some form of cybersecurity training in the past year, nearly one in three (32%) said they have had no exposure to any training or resources whatsoever. That’s a significant blind spot.
These individuals have not been taught basic cybersecurity measures, the need for shared responsibility, or what to look for in an attack. It means they’re ill-equipped to recognise ransomware phishing emails—let alone understand how to respond appropriately.
Even among the majority, understanding is patchy. While 74% say they have at least “a rough idea” of what ransomware is, that is clearly not enough when the business risks are this high.
To make matters worse, ransomware is evolving fast. With AI-powered deepfake technologies, attackers can use large language models to create personalised emails, mimic trusted sources (such as a colleague or well-known institution), instigate a sense of urgency, and send messages en masse at all hours of the day, and increasingly even use voice and video techniques to solicit sensitive access rights.
Worse, this technology has been tweaked, tested, rolled out, and shared to take advantage of one common thing: the unobservant weak links in organisations.
When employees realise they may have fallen victim to a ransomware attack, many still fail to notify their organisation in the correct way, according to our study. In too many circumstances they see it as “not their problem.” They don’t want to create a fuss. They don’t want to get into trouble. The organisational culture of encouraging transparent and timely communication of these threats has not been established.
Even in businesses where reporting lines are clear, some employees would still choose not to report their suspicions. Of the 72% of staff who said they were confident they could identify if their organisation was targeted by a malicious cyberattack, around 43% said they wouldn’t inform the cyber security team.
Some of this comes down to employees choosing to report issues to their line manager only rather than following best practice and informing both their manager and the relevant cyber security teams. But 7% said they wouldn’t tell anyone at all if they suspected an attack. This silence can seriously hinder incident response efforts.
Many of our respondents had other questionable beliefs about cybersecurity. 77% believed their organisation has strong enough security measures to prevent an attack, despite 44% knowing that their business had been a victim of an attack in the past.
Around 29% and 39% respectively believed IT and cybersecurity teams were solely responsible for protecting the organisation from malicious attacks. Less than one in five (18%) got the answer right—it is a collective responsibility.
Other myths still linger. One in three thinks only large organisations are targeted, as if smaller businesses fly under the radar.
When identifying ways ransomware could infiltrate their organisation, email was rightly recognised as a major entry point, but other common gateways were underestimated. Nearly half didn’t believe that platforms like SharePoint or Google Drive posed a risk. Forty-four percent said the same about Wi-Fi, and 56% dismissed mobile phones as an entry point. Perhaps most surprising of all, 61% believed that Mac computers were not a viable route into systems.
Businesses have done well to shore up their cybersecurity posture in recent years. But today it’s about strengthening the weakest links. Our research data provides a good indication of potential vulnerabilities as far as people are concerned, but now it’s key that you carry out risk assessments to identify the most pressing misconceptions and gaps within your organisation and take action.
But people are only part of the cyber resilience story. Cyberattacks can hit at any moment, and time is of the essence to respond and get back up and running quickly and in a secure state to limit the impact. Planning, processes, technology, and cyber skills are all key elements to building cyber resilience.
In some ways, the research confirms what we already know. When it comes to ransomware, people are the weakest link. There’s a job to be done with employees, but organisations need to ensure that their processes, cyber skills, and technologies are as robust as possible to limit the dangers, as employees will always be the weakest link, no matter how hard you try.
Learn more:
Written By
James Blake
Global Cyber Resiliency Strategist
