The following post was featured on TechTarget SearchSecurity earlier this week and is being shared as we have many clients who have asked us this hypothetical question, in the hopes that the day doesn’t come that they have to know the answer. Thankfully, they are working with us and have a sound Data Backup and Recovery Plan in place. Read on for an insightful and good read we hope you will never need to reference:
“Our organization is developing a short policy statement to deal with future ransomware outbreaks. However, a key point we disagree on internally is that some people believe it’s okay to pay a ransom for data depending on the cost/value equation, while others think paying the ransom is like negotiating with a terrorist and should just never be done. What approach should we take?”
Ransomware is surreptitious software that overtly takes control of a computer’s hard drive and encrypts it. It holds the information hostage until a ransom is paid for release of the decryption key. Payment of the ransom is often made in bitcoin, which is anonymous and untraceable. The ransom can be — and typically is — paid if the information or computer taken hostage is critical to the operation of a business or victim. The underlying question is how this could have happened and what recourse is available. On June 5, 2014, Cisco foretold of a rash of ransomware attacks and this is starting to come to pass.
Companies falling victim to ransomware and that wind up paying the ransom, tend to either have poor backups or insufficient controls; or, if both systems are working effectively but still succumb to more sophisticated attacks, there are greater concerns regarding reputational or financial risks if the incident goes public.
Should a company pay ransom for information or computers taken hostage? Ethically speaking, the answer is no. But in a practical sense, given the criticality of the asset, it might have to. If not paying the ransom has an adverse effect on a business’ viability, then there are few choices. If the organization can accept a loss in business, then the ransom should not be paid and attention should be focused on preventing reoccurrence.
There are several steps organizations can take to prepare for a ransomware attack, including backing up critical data daily, running incrementals to make the backup process less cumbersome and time consuming, ensuring strong network security, verifying and periodically testing malware detection and application controls and also deploying comprehensive monitoring processes to detect unauthorized access attempts and unknown or unexpected changes in environments. The key is to have sufficient controls and recovery processes in place to render a hostage situation merely an inconvenience and not a critical business threat.