To pay or not to pay?
In the UK right now, many businesses are asking themselves how they would respond to a ransomware attack, will they pay and what are their risks obligations if they are willing to do so.
That’s because the number of incidents of ransomware attacks has skyrocketed in the last two years.
In a recent study, Atlas VPN announced that attacks were up 151% in 2021, compared to this time last year, and that the UK alone had suffered 14.6 million ransomware attacks by the end of August. That’s a staggering number of businesses under pressure every single day, and it proves just how widespread the problem has become.
If there’s one thing those numbers show, it’s that businesses need to get very clear, very quickly, on how they are going to deal with a ransomware attack when it comes. Hoping that it never happens to you is no longer an option.
Of course, we all know how damaging ransomware is. When you’re in that situation, it’s not easy to simply, flat-out refuse to make a payment, particularly when you have no idea what else to do. We can all acknowledge how difficult it is to stand on principle about ‘not paying criminals’ when you are facing a crippling inability to function, when many people are relying on you and you don’t have a roadmap to deal with the problem.
But what is the right thing to do when malicious software has been installed on your systems that is effectively locking you out, stealing your data and ruining your reputation.
No company wants to pay a ransom. They know that paying the hackers only means they will carry on doing this, and they hate to reward criminal behaviour and give money to people who often use it to fund even more socially damaging activities.
“They feel they have no choice,” explains Cyber Threat Alliance president and chief executive Michael Daniel. “whether it’s due to the threat of insolvency, reputational damage stemming from service interruptions, or the potential for loss of life or wide-scale economic disruption. Indeed, from a purely short-term, organisational viewpoint, paying a ransom is often an economically rational decision.”
‘Paying ransoms is not illegal’ explains the BBC, ‘and many organisations pay in secret.
Now, the Ransomware Task Force (RTF) global coalition of cyber-experts is lobbying governments to take action.’
There are pros and cons of banning the payment of ransoms to cybercriminals. On the one hand, the international community has to try and break the cycle that leaves everyone vulnerable to hacking. But realistically, it will probably just push payments underground and make the whole situation more desperate and fraught with danger for everyone. Regulation around cryptocurrencies and better cybersecurity practices would be a more effective place to start than simply banning something just because you don’t want it to exist, without any practical steps.
What practical, proactive steps should you be taking right now to manage your risk?
There are a few basics that everyone should have in place.
- Take out some form of cybercrime insurance;
- Partner with a security expert or
- Put in place a rapid response cybersecurity team,
- Establish corporate policy, and
- Make clear the chain of command in the event of an attack
It’s also worthwhile having a conversation upfront about whether you are willing to pay ransomware and how much you could afford before an attack actually takes place and you need to react in the heat of the moment.
Global consultant for EY, Kris Lovejoy acknowledges the desire many companies have to just pay it, but notes that ‘organizations who are faced with this scenario should seek legal counsel, recommendations from any cyber insurance providers, input from law enforcement as well as expert security advice before making any final determination as to the appropriate course of action.’
To make sure that your cyber security is up to the challenges of the digital economy, get in touch with us here at 2|SEC and discover what we can do for you.