The odds of a CISO encountering a major cyberattack are about as high as it can get with 9 in 10 CISOs reporting at least one disruptive attack during the last year, according to Splunk research released Tuesday.

Almost half of the 350 security executives surveyed said their organizations were hit by multiple disruptive cyberattacks during the last year.

Ransomware accounts for many of these attacks. Almost every survey respondent, 96%, reported a ransomware attack and more than half experienced a ransomware attack that significantly impacted business operations and systems, the report found.

The number of ransomware attacks confronted by organizations has a direct correlation with the frequency with which ransoms are paid. More than 4 in 5 CISOs surveyed said their organization paid the ransom.

At that level of ransom payment activity, CISOs have to operate under the assumption that ransom payments are effectively part of the job.

“CISOs have a duty to anticipate ransoms and also implement them in their budgeting for cyber insurance,” Ryan Kovar, leader of Surge, Splunk’s blue team security research team, said via email.

“Minimally, they need to have a plan before they get ransomed that places them in a position of strong resilience,” Kovar said.

Ransoms payments are part of the job

This high rate of ransom payments, which can fuel cybercriminal activities, underscores why the U.S. government and some of its allies floated a potential ban on ransom payments earlier this year.

“Fundamentally, money drives ransomware and for an individual entity it may be that they make a decision to pay, but for the larger problem of ransomware that is the wrong decision,” Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said at a May event hosted by the Institute for Security and Technology.

A ban against ransom payments would represent a major shift in strategy, opening up a new and complicated measure to counter financially motivated threat actors.

The Biden administration, as recently as September 2022, decided against an outright ban on ransom payments. Instead, cyber authorities strongly encourage organizations not to pay.

The financial implications of ransom payments vary widely, according to Splunk’s report. Most organizations paid ransoms under $250,000, but nearly 1 in 10 paid ransoms over $1 million.

“That’s a lucrative business for ransomware gangs — and many desperate organizations gamble with their reputations in the hope of decrypting their data, recovering their systems and preventing the release of sensitive material,” Splunk researchers said in the report.