What percentage of CISOs said they would consider paying a ransom?

According to the Absolute Security report, 58% of Chief Information Security Officers said they would consider paying a ransom to end an attack. Operational downtime was cited as the primary driver behind this willingness.

What is the most common origin point of ransomware attacks according to the report?

The report found that 57% of ransomware attacks originated from remote or hybrid endpoint devices. This makes remote endpoints the dominant attack pattern in enterprise ransomware incidents.

Why does the article say CISOs' willingness to pay ransoms is an operational problem rather than a moral one?

The article argues that when CISOs say they would pay, they are acknowledging that their recovery capabilities may not be sufficient to absorb the downtime following a major attack. This reframes the issue as a preparedness problem rather than simply a moral or legal question.

58% of CISOs Would Pay Ransoms as Remote Endpoints Drive Attacks

A new report from Absolute Security has put a precise number on a problem that security professionals have been circling for years: ransomware remote endpoint VPN protection is no longer optional for distributed workforces. According to the research, 58% of Chief Information Security Officers would consider paying a ransom to end an attack, with operational downtime cited as the primary driver. Perhaps more striking, 57% of surveyed enterprises reported that ransomware attacks originated from remote or hybrid endpoint devices. Together, those two figures paint a clear picture of where enterprise security is failing and what it costs when it does.

How Remote and Hybrid Endpoints Became Ransomware's Favorite Entry Point

The shift to distributed work created a sprawling attack surface that many organizations have never fully mapped, let alone secured. Remote endpoints, whether employee laptops connecting from home networks, contractor devices on public Wi-Fi, or hybrid workers toggling between office and remote environments, often sit outside the direct visibility of enterprise security teams. They may run outdated software, use weak authentication, or connect to corporate systems through improperly configured tunnels.

Attackers have noticed. Remote Desktop Protocol (RDP) and VPN credentials remain among the most commonly exploited initial access vectors in ransomware campaigns, and endpoint devices are frequently the first domino to fall. Once a single remote device is compromised, attackers use it as a foothold to move laterally across the network, escalating privileges and deploying ransomware payloads before most organizations have time to detect the intrusion. The Absolute Security findings, showing that 57% of attacks trace back to remote or hybrid endpoints, confirm that this isn't a fringe risk. It is the dominant attack pattern.

The consequences of that pattern reach far beyond individual organizations. The ChipSoft ransomware attack that exposed Dutch patient data illustrates what happens when attackers successfully traverse from an endpoint into a system that holds sensitive records at scale. Healthcare, finance, and critical infrastructure all face compounding risk as their workforces become more distributed.

Why 58% of CISOs Are Willing to Pay and What That Signals About Preparedness

The willingness to pay a ransom is often framed as a moral or legal question, but the Absolute Security data reframes it as an operational one. When 58% of CISOs say they would consider paying, they are not endorsing criminal activity. They are acknowledging that their recovery capabilities may not be sufficient to absorb the downtime that follows a major attack without accepting significant financial and reputational damage.

That is a preparedness problem. Organizations with robust, tested backup and recovery infrastructure, combined with strong incident response plans, are far less likely to face a situation where paying feels like the only option. The fact that more than half of surveyed security leaders would entertain it suggests that many enterprises remain underprepared, particularly when the attack originates from an endpoint that sits outside traditional security perimeters.

It also reflects how costly downtime has become. Supply chains, customer-facing services, and internal operations all depend on continuous access to systems and data. When ransomware locks those systems, every hour of recovery time has a measurable dollar value. That calculus, not moral flexibility, is what drives ransom payment decisions. And as the FBI Director's own email compromise made clear, no organization or individual is categorically immune from targeted attacks.

How VPN Infrastructure Reduces Attack Surface and Lateral Movement Risk

A well-implemented VPN is not a silver bullet, but it is a foundational layer that, when properly configured, significantly reduces the exposure that remote endpoints create. Encrypted tunnels prevent credential interception on unsecured networks. Network segmentation enforced through VPN policies limits how far an attacker can move once inside. And centralized authentication requirements mean that compromised devices are less likely to silently traverse the network undetected.

The critical word is "properly." VPN configurations that rely on single-factor authentication, that grant broad network access rather than scoped permissions, or that go unpatched for extended periods can themselves become attack vectors. The principle of least privilege, applied at the VPN layer, means a compromised endpoint can only reach the specific resources it needs, not the entire corporate network. Pairing VPN access with multi-factor authentication and endpoint health checks before connection creates a meaningful barrier that slows attackers and buys defenders time to respond.

For hybrid workforces specifically, consistent VPN policy enforcement across all device types, including personal devices used for work, is essential. The attack surface the Absolute Security report describes is, in part, a policy enforcement gap as much as a technical one.

What Distributed Teams Can Do Now to Harden Their Endpoints

The Absolute Security findings are a prompt for action, not just reflection. Organizations with distributed workforces can take concrete steps to reduce the risk that remote endpoints represent.

Audit your endpoint inventory. You cannot protect what you cannot see. A complete, current inventory of every device that connects to corporate systems, including contractor and personal devices, is the starting point for any endpoint security strategy.

Enforce MFA on all VPN connections. This single control eliminates a significant category of credential-based attacks. Stolen passwords alone should not be sufficient to gain remote access.

Segment network access by role. Rather than granting remote users broad network access, configure VPN policies so that each user or device class can only reach the systems relevant to their function. This limits lateral movement if a device is compromised.

Patch endpoints and VPN infrastructure consistently. Many high-profile ransomware intrusions exploit known vulnerabilities for which patches already exist. Automated patch management removes the human delay that attackers rely on.

Test your recovery plan. If a ransomware attack hit your most critical systems today, how long would recovery take? Running tabletop exercises and backup restoration tests regularly is the only way to honestly answer that question and close the gaps before they matter.

The Absolute Security report is a useful benchmark for where enterprise security stands right now on ransomware readiness. The numbers are sobering: a majority of attacks starting at remote endpoints, and a majority of security leaders who feel payment may be unavoidable. But they also point directly at what needs to change. Endpoint visibility, enforced VPN policies, and tested recovery capabilities are not exotic controls. They are the baseline that every distributed organization should be able to verify. Evaluating whether your current setup actually meets that bar is the right place to start.