In a ransomware attack, cybercriminals get ahold of your data, encrypt it so you can’t access it, and demand a ransom in exchange for a decryption key. It’s an anxiety-inducing event, one that unfortunately is on the rise: according to Help Net Security, ransomware increased by 435% in 2020 compared to 2019. With more people working from home and providing additional attack vectors for cybercriminals, the frequency isn’t likely to decrease any time soon.
The following video describes other factors involved in this rise:
There are different opinions about whether you should pay the ransom if your company becomes the victim of such an attack. Paying the ransom can be expensive and there’s no guarantee you’ll get access to your data once you do. Not paying could mean a loss of time, money, and reputation, as well as the potential for exposure of your data.
There are no happy outcomes in this scenario, so, what’s the right thing to do? Here we explore some areas to consider if you find yourself in the unfortunate position of having to make that choice.
Your Backup Plan
In an ideal world, you have your data backed up, perhaps even in more than one location. Therefore, if your primary data repository becomes inaccessible, all you have to do is restore your backups. In this scenario, you don’t need to pay a ransom to unlock your data.
However, many companies (especially smaller ones that may not want to pay for a backup service) lack comprehensive backup processes. Additionally, some cybercriminals threaten to expose data if the ransom isn’t paid. Such an event could be catastrophic for businesses whose success depends on private customer data, or trade secrets. In this case, paying the ransom might make the most sense.
When considering whether not to pay a ransom to regain access to company data, it’s important to consider the purely financial impact. While paying a ransom can be expensive, not doing so can be even more so, given the process your employees will have to go through to rebuild an entire IT network. Depending on the amount of data involved, your company may even need to shut down for a period. Think about whether your business can withstand such a scenario.
The challenge of this decision is behind the reason why some companies have chosen to buy ransomware insurance, the price of which is less than both a ransomware payment and the cost of shutting down the business while data can be restored. However, cybercriminals have found a way to work around this solution, setting the ransom value at the amount they know insurance companies will pay out.
Another factor to consider is that once you make the decision to pay a ransom, you become known as a company that is willing to do so and may become a victim again.
Funding the Bad Guys
Deciding whether to pay a ransom isn’t just a financial and practical decision — it’s an ethical one as well. If you pay the ransom, you’re teaching the bad guys an important lesson: ransomware attacks work! The more people that make this decision, the more this activity is likely to continue. Yet, if it’s the choice between being ethical and staying in business, many companies will understandably choose the latter.
In an effort to dry up the flow of payments to cybercriminals, some government officials and cybersecurity experts have proposed making ransomware payments illegal. Yet, such a law would leave businesses in an impossible position: break the law to pay a ransom, or watch their companies go down the drain. Additionally, the move may make criminals more aggressive, targeting hospitals and other critical infrastructure assets that are more desperate for access to their data.
Short of a law against ransomware payments, which has been proposed in some places, law enforcement officials encourage businesses to avoid paying if at all possible.
An Ounce of Prevention
The old saying that an ounce of prevention is worth a pound of cure is applicable here. While it’s no comfort if you’ve already been a victim, there are steps you can take in advance to ensure you don’t become one.
- Set up a firewall. This software scans files being exchanged for potential risks.
- Use network segmentation. This process prevents malware from moving from one system or device to another.
- Use multiple (and different types of) backups. For example, you could back up to a cloud service and also to an external hard drive.
- Train employees on what to look for. This step might be one of the most important in keeping your company safe from ransomware.
- Make password security a priority. Passwords may be a basic security component, but they’re an important one. Avoid using weak passwords or the same password for multiple accounts.
- Regularly update software. Software includes operating systems, anti-malware programs, apps, firmware, third-party software, and more.
- Use the Zero Trust model. In this model, a company mistrusts anything and anyone both inside and outside the network. The system validates every user and device each time they request access.
- Employ bring-your-own-device (BYOD) restrictions. Each company’s policy on BYOD should be thorough and frequently updated to ensure employees’ personal devices don’t pose security risks.
No Good Scenarios
There’s no one right answer to the sticky question of whether you should pay cybercriminals that hit you with a ransomware attack. To help organizations make the right choice for whether to pay a ransom, experts recommend that companies in this position ask themselves the following questions:
- Is the inaccessible data essential to my organization’s current or future success?
- How long can we do without the locked files?
- What is the worst-case scenario if we don’t regain access to these files?
- What is our position on whether it is ethical to make a ransom payment?
- Are there other ways to retrieve the data?
Unfortunately, there are no good scenarios if you become the victim of a ransomware attack. All you can do is make the soundest decision possible and hope for the best.