It’s hard to tell any company what to do when it’s in a no-win situation where its data is being held ransom by hackers. Even though the smartest approach might be to stay strong and not cave to the pressure, when it’s your information at stake, it’s tough to take the moral stand.
It’s little surprise then that so many companies have already thought about what they would do if they were confronted with Cryptolocker or a similar ransomware program – and that they’ve come out on the side that it’s better to just pay the ransom and move on.
A ThreatTrack and Opinion Matters survey of 25o security pros for small and mid-size businesses found:
- 70% would refuse to negotiate with cybercriminals, but
- 30% said they would.
They know of what they speak
For far too many of these respondents, the question of whether to pay up wasn’t a hypothetical. Roughly four-in-ten of those surveyed (38%) had already been the target of an extortion attempt. And 86% claimed to know of others who had been forced to pay up.
Alarmingly, 43% of those who had said that companies should “set aside funds for negotiating with cybercriminals who steal, encrypt or threaten to sell their data.”
They also said they thought cyberinsurance should negotiate on behalf of companies that are being held ransom at a higher rate than others (74% to 59%).
Rules for negotiating
There are generally accepted rules for how companies should handle extortion attempts and ransomware.
Essentially experts argue that you should work to remove the malware if possible, recover what you can from backups and not give in to the demands.
- there are no guarantees paying up will actually lead to the removal of the malware or the recovery of files – in that case, you could pay a ransom and still wind up without access to information
- it establishes the precedent that you’ll be willing to pay in the future if you come under attack (and could just drive the ransom up for future attacks), and
- if enough organizations pay up, it shows hackers this practice will be worth their effort (though the horse may already be out of the barn on that one).
Not an easy call
The problem is, doing what’s right is not always popular: two-thirds (66%) said they worried about customer or employee reactions if they found out their organization had known it would be stolen, but refused to pay the ransom.
It’s a moral quandary, to be sure.
While even the best of us can wind up in security nightmares from time to time, preparation and users recognizing danger could be the keys to stopping most of these attacks. Respondents said the biggest threat of ransomware came from email (37%), so training to recognize phishing attempts may be the best course of action.
- Have users report suspicious error messages right away. Many times, there’s nothing to be done, but having more time to react is always best.
- Make sure your company knows what it will do if it finds itself in the unenviable position of being the victim of a ransomware attack, and
- Decide whether and if to report to government authorities, a popular step taken by those who had been extorted.