Create a free account, or log in

Ransomware: Should you pay or not?

Smaller businesses are often ripe targets for criminals who hold your data hostage and request a ransom fee. 
Dustin Brewer
Dustin Brewer
bossware surveillance
Source: Unsplash/Matthew Henry

Ransomware is malicious hacking that holds your data and systems hostage, to force you to pay a ransom to the person/group which has control of your data.

As the frequency of attacks rise, the conversation is shifting towards whether companies should pay in a ransomware attack.

Unfortunately crippling cyber-assaults are taking place too frequently across the globe, with targets and outcomes getting more consequential and more threatening for our workforce and communities.

According to the State of Cybersecurity 2021 report from ISACA and HCL Technologies, 41% of Australian and New Zealand respondents reported an increase in cyber attacks on their organisation during the last year, and 62% expect that their organisation will experience a cyber attack in the twelve months ahead.

Cyber-criminals and other nefarious actors are hitting all levels of industry across the world that have a direct impact on essential needs including fuel, healthcare, public utilities, and agricultural supply chains. 

In 2021 we’ve seen the impact on agriculture via an attack on an Australian meat processor, the impact on healthcare due to an attack on five hospitals in the New Zealand district of Waikato, and the Colonial Pipeline attack in the US which threatened the country’s fuel distribution network.

In a vacuum, the guidance not to pay makes total sense. We don’t want to negotiate with criminals.

But when you need to get your business back online, a cost/benefit analysis is going to come into play, and a company is going to do what it needs to do to have continuity. Good cyber hygiene and open discussions on possible threats and mitigation has to be a focus to avoid getting to this point.

Even after your IT and cyber teams have deployed a strategy to protect your organisation from a ransomware attack, you may still find yourself in the dreaded situation of having to decide whether to pay the ransom for your data or not. 

Three questions to consider before paying the ransomware

  1. Are you 100% sure that you need to pay to restore?

    If you already have proper data backup practices, your IT/security team may be able to restore from the latest backup. 

  2. What is the data worth?

    Was it your client list or your iTunes top 10 playlist that was compromised? 

    Figuring out what data has been crypto-locked on your devices and its worth to your company may make the decision for you. This should be discussed with key stakeholders such as data owners and custodians. 

  3. What are you and your company willing to do to restore that data if payment is the only option from an ethical standpoint?

    This is perhaps the toughest and most important question to answer, but you should have discussed this with your leadership team before the time comes to help decision-making. In paying cybercriminals money for returning your data, are you perpetuating this practice by funding the bad actors?

    Will this then result in more attacks on other companies, governments and individuals? A number of the most recent ransomware attacks in the US, for instance, have been on public schools and small municipal institutions.

    As long as this practice is lucrative, criminals will continue to exploit and use the same tactics for monetary gain. Where will this cycle stop, and can you afford to be part of the solution?

The Colonial Pipeline attack sparked a major response from leaders and authorities across the globe. In the days following this attack, an intensive survey was conducted by global IT professional association ISACA, to discover how IT professionals feel about negotiating with cyber-criminals.

The insights certainly validate my own views including:

  • Only 22% say a critical infrastructure organisation should pay the ransom if attacked.
  • 84% of respondents believe ransomware attacks will become more prevalent in the second half of 2021.
  • Four out of five survey respondents say they do not think their organisation would pay the ransom if a ransomware attack hit their organisation. 

We are living in a world where company leaders should assume they will find themselves being held to ransom by cybercriminals. Understanding that this is not a single issue but a systemic cyber and information security one — with societal impacts and ramifications — is paramount for finding a successful and meaningful solution.

In addition, knowing your responses and risk appetite, will not only help in preparing for a ransomware event, but also in understanding what your enterprise’s threshold is in the decision-making process for considering whether to pay the nefarious actors to get your business back up and running. This decision will, of course, need to happen on a case-by-case basis.  

Overall, implementing cybersecurity measures and having the right discussions with the right people to protect the company ahead of this very real possibility is the best way to avoid high-pressure decision-making about whether to pay a ransom.