As I write this, the threat of Ransomware is rapidly on the rise. So much so that the Australian Federal Police has formed a task force - Operation Orcus - following in the footsteps of the US Government, in an attempt to combat the specialised criminal infrastructure that is wreaking havoc across large scale organisations here and globally. High profile victims such as Nine Entertainment, JBS and Uniting Care, along with the recent Kaseya interception have been making headlines and may continue to do so without superior intelligence targeting organised crime groups.
To pay or not to pay? On the surface it may appear to be a relatively straightforward question, however, in reality, the answer is not so simple (particularly if we dig a little deeper). Amidst the plethora of information and advice offered by Governments, cybersecurity professionals and industry experts around the world, there is one thing that we seem to all agree upon: the answer to this critical question is not one-dimensional, whatever your viewpoint may be. Every incident is different because every company has its own unique set of challenges and priorities to consider.
In fact, I empathise with any executive, IT or infosec professional that finds themselves in this predicament. Balancing the advice of experts, regulators and governments, against the interests of their employees, customers and shareholders is no mean feat. Complexities arise further when the two groups are diametrically opposed. Add to this personal moral and ethical views, and you are left with a need for deeper analysis (and perhaps some paracetamol). Certainly not a clear cut or easy decision.
Curious of the views held by my network of talented business leaders and industry experts, I was keen to test the temperature of the room through a poll.
I posed the following question:
The response was very telling, and I am appreciative to each and every one of you for contributing to the poll, and for your feedback. Almost 200 people responded, providing a divided yet articulate debate in the comments. It was clear to see that this is an issue that is of major concern to the business community and. The diversity of thoughtful responses further illuminated the fact that Ransomware is a complex and challenging dilemma that warrants more than a simple ‘yes’ or ‘no’ answer.
Here are some quick highlights from the poll:
- 1 in 3 or ~30% would ‘Pay’ or were ‘Unsure’. Senior Executives and Business Leaders tended to be more highly represented in this group, and I can only infer that they were considering the direct business stresses that a ransomware disruption would place on their business, as the basis for their answer.
- Technology and IT/InfoSec Professionals were otherwise more highly represented in the other group, and more inclined to vote ‘Don’t Pay’ (72%). This of course is aligned with the best practice advice of regulators, professional and industry bodies.
- The comments were illuminating, and most security professionals were pointing to the importance of a reliable back up, and business continuity plans, to mitigate any disruptions.
- Other factors to consider were the reliability or trust that you place in those that are holding the encryption key. Do you trust the criminals behind the attack to give you access to your data intact once payment is made? Has the data been compromised or exfiltrated already? How can you be certain? How do you know that there aren’t backdoors?
- Some pointed the finger at cyber insurance, arguing that insurers have a role to play in demanding that companies have better processes in place to mitigate the risk of compromise and data loss.
- And yet others took a contrary and more pragmatic view, suggesting that the decision is a rational one like any other business problem. Assess the time and cost impacts or paying versus not paying, and then act in the best interest of the company and your shareholders.
- Finally, there were those that called out the legal and reputational risks that a company is confronted with if they do in fact choose to pay.
A diverse array of opinions
I thoroughly enjoyed reading the comments, of which there were many in all the varied shades of grey:
“Hard question, I would initially say don't pay as it gives them more incentive to move on and do it again...”
“Treat it like every other decision at work. Do the math, how much the ransom is versus how much it will cost in lost business...”
“Missed a few related to post payment, (like) the reputational damage of paying, the potential legal fights depending on where you operate and the laws for funding certain groups...”
“Of course your risk assessment needs to account for the fact that the ransomer has no need to help you once they get their bitcoins. What are the chances they act 'honourably', really?”
“If your DR (Disaster recovery) & BC (Business continuity) plans, and your technology, get you up and running within a few hours or less, then I certainly would not pay...”
“That’s what DR (disaster recovery) and business continuity plans, provisions and actions are for. Ransomware should never impact a business that it brings to a standstill. If all the above is in place and working makes this question mute.”
And others were certainly more unequivocal:
“If you need to pay, then you’ve failed...”
“Not pay, definitely not. No way!”
The right answer?
While the majority view is certainly “Don’t pay”, and that is absolutely the advice of regulators, I cannot help thinking that it just isn’t quite that simple. Many of the biggest and most sophisticated companies in the world have been impacted by cyber incidents including ransomware attacks, so to dismiss the question as irrelevant based on whether the company has taken the necessary steps and precautions is ignoring the fact that those same companies are armed with large cybersecurity budgets and armies of IT & security professionals. They would almost certainly have their own DR & BC plans in place. I would even hazard a guess that prior to being impacted, those inside may have held the same emphatic views about not paying. But when the clock is ticking and you’re under pressure to get the business back online, to resume services to customers and to reassure shareholders that revenues have been restored, then the picture must look very different. It’s easy for the debate to rage on social media, but the reality is much harsher. None of us want to find ourselves or our customers in that position.
Regardless, we can all agree that ransomware is something we do not wish to experience. I commend governments around the world for being more proactive in the fight against cybercrime. It is reassuring to see the importance of cybersecurity recognised by policy makers and organisational leaders worldwide as we continue to face the common enemy - cybercriminals.
Keeping businesses protected
Prevention is always better than a cure, and the best defence is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid being hit by ransomware in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
No one vendor can stop all threats, so it’s crucial to remind customers that if they are using Microsoft 365 or G Suite, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a third-party cloud email solution like MailGuard.
Being hit by a ransomware attack can cause businesses significant financial losses and a hit to their reputation, especially following a tough pandemic-ridden year which resulted in many businesses struggling to keep the lights on. By taking time to assess the situation and exploring all recovery options at hand, your customers can make the right decisions and successfully navigate the ransomware payout dilemma.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.