Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/12/2021
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Why You Should Be Prepared to Pay a Ransom

Companies that claim they'll never pay up in a ransomware attack are more likely to get caught flat-footed.

Mike Tyson used to say, "Everyone has a plan until they get punched in the face." It's much the same with ransomware attacks: No matter how much you insist that of course you'd never pay a ransom, your plans go out the window the first time you see all your organization's computers showing that "You've been hacked" screen. 

The truth is that organizations are increasingly paying ransoms to recover their data. In fact, 70% of businesses hit by ransomware attacks wind up forking over thousands of dollars to their attackers. Even local governments have paid ransoms to regain access to vital services. No matter how much we tell one another that we'd do things differently, the reality is that when your data disappears and you start losing clients or missing deadlines, you'll pay virtually any price to put things right. 

Related Content:

8 Ways Ransomware Operators Target Your Network

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Planning Our Passwordless Future

Rather than virtue-signaling with a blanket "We never pay" statement, organizations need to be realistic about the specific circumstances in which they'd pay a ransom. If you're a hospital and people will die if you don't get your computers back online STAT — yes, it's better to pay up. If you're in a less critical field, and it's just a question of waiting around while your backups come online, maybe you can ride it out without paying. 

But either way, it's important to be honest — with yourself, your C-suite, your directors, and other stakeholders — about how you'd respond to a successful ransomware attack. When you're clear and pragmatic about the circumstances in which you'd pay a ransom, you can make more meaningful plans. That starts with including the cost of ransom payments — and for the fines you'll have to pay if you give cash to cybercriminals — in your IT budget. Your CEO might not enjoy budgeting for Bitcoin transfers to hackers, but it's better to plan ahead than to be blindsided by unanticipated costs. 

A clear-eyed approach to the ransomware threat also makes it easier to handle the PR fallout from an attack. That's partly because you can plan ahead, and figure out how to create a crisis communications strategy that's aligned with the reality of the situation you find yourself in. Just as importantly, though, it's far easier to explain your ransom payments to customers and shareholders if you've been upfront about the risks you face, and haven't previously claimed that you'd never, ever pay to retrieve stolen data. 

Perhaps the most important reason to be honest about your ransomware response strategy, though, is that it gives you full visibility into the true cost of ransomware attacks, which in turn allows you to make more realistic cybersecurity ROI calculations. When you know how much a ransomware attack will cost you — including the ransom, the fines, and the potential damage to your brand — then you can make smarter and more informed decisions about how much you should be investing in cybersecurity designed to keep your data safe.

It's always better, after all, to make sensible investments in security upfront and avoid getting hacked in the first place. But unless you're correctly assessing the potential impact of an attack — including the inevitable cost of paying a ransom to recover your data — it's impossible to figure out how much you should really be paying to try to keep yourself safe. Without that kind of clarity, it's also impossible to weigh the value of each year in which you successfully fend off ransomware attacks on your organization — a key step toward justifying your investments in cybersecurity to shareholders, board members, or the rest of the C-suite. 

Accepting that there are circumstances in which you'd pay the ransom also makes it easier to differentiate your data and adopt a defensive posture that's tailored to the actual value of the data you're trying to protect. If there's some data you would pay a ransom to recover, and other data that you could easily do without or reconstruct, then it doesn't make sense to use the same defensive systems to protect both datasets. Instead, invest to protect your most valuable data and ensure that it's securely fenced off from your less valuable and less robust broader data ecosystem.

That's really the key insight I'm trying to communicate: not that you should always pay ransoms, nor that reflexively paying the ransom should be your default response if the worst happens, but rather that you should be clear-eyed about what your data is really worth to you. 

Pretending that you'd never pay a ransom is pointless posturing. Instead, aim to be realistic and upfront with your stakeholders and to implement security solutions (and, yes, post-ransomware payment strategies) that are proportional to the value of the data you're trying to protect. It's by thinking clearly about the costs involved that you'll ultimately be best able to take the necessary steps to keep your data safe.

Christopher Muffat is Dathena's Founder and CEO. He has over 14 years' experience in information security risk management, including leading the internal SwissLeaks digital forensics investigation for HSBC and thereafter acting as Head of Information Risk Management for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Simon Hunt
50%
50%
Simon Hunt,
User Rank: Apprentice
5/14/2021 | 10:58:32 AM
To pay or not to pay.
Paying a cyber ransom doesn't end there - that money is then used to fund attacks on other organizations, fund drug trafficking, human trafficking, guns, terrorism, and other similar criminal activity. You're not giving money to a teenager sitting in their mother's basement. 

Paying has huge societal and moral implications - it's not just a "business risk decision". 
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24368
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.