Often, if the data you share with a company is stolen or encrypted during a ransomware attack, retrieving it can be difficult. Companies will also sometimes refuse to pay, as seen in the Vastaamo case. But should the company pay to have it returned? And what can you do as an individual to help keep your data safe in the first place?
We all have data that is precious to us but looked after by somebody else. Dealing with almost any business today involves trusting them with some kind of data – whether it’s our medical records, financial information, shopping habits, family photos, or even our dating profiles.
Much of this data is sensitive and, in the wrong hands, could be used to cause some serious damage, both financially and reputationally. Recently Vastaamo, a large psychotherapy clinic in Finland, had its own patient data stolen. The hackers have since reached out to patients demanding a ransom in return for their data. Failure to pay will result in the private and sensitive information leaked online for all to see, the hackers warned.
To pay or not to pay?
Data can say more about you than any simple financial transaction. So when your data falls into the wrong hands, the impact can be devastating. If a criminal steals money from you online, you can often be reimbursed by your bank, insurer or issuer; but if a criminal steals your data, they can hold power over you long after the event.
Some data, such as family photos or academic work, can be irreplaceable on a personal level, but many types of data loss can be damaging. Imagine, for example, trying to get a new job without being able to prove your qualifications. Think about the cost of x-rays to recreate your dental records. Or consider simply not being able to qualify for the no-claims bonus on your car insurance. Any of these things could happen as the consequence of your data being stolen in a ransomware attack on one of the companies you currently do business with. So, shouldn’t the company pay to fix things?
The case for a company paying the ransom for your data may appear strong but, sadly, the hope of regaining your data this way is often wishful thinking. Even if the ransom is paid, there’s no guarantee the attacker will return your information. Many hackers couldn’t give it back even if they wanted to, since they lack the technical capabilities to reverse the process they started. Little wonder then that 20 percent of paying victims don’t even have their stolen data returned.
And consumers rarely want the businesses they trust to be complicit in allowing crime to pay. Veritas research shows that under a quarter (23 percent) of consumers think that businesses should negotiate with cybercriminals. Similarly, just 27 percent think governments should engage with the attackers. In the majority of cases, prevention is far better than the cure. Customers say they expect the organizations that they buy from to have strong ransomware defenses and a comprehensive data backup policy.
Staying safe, without surrendering
All too often, a ransomware attacker can bring its victims to a place where it feels like there’s no right decision. If the data can’t be restored another way, they must either pay the ransom and invite repeated attacks in the future, or they lose their data forever. Neither choice is a victory. When faced with an impossible decision, all anyone can do is work out how they got there in the first place and ensure it never happens again.
Ransomware attacks on ordinary consumers are rarer now, but they still happen. To avoid being caught out, be diligent when it comes to what emails you open and which links you click, and ensure you’re using up-to-date antivirus software. But you should always work on the assumption that a new virus or scam could sneak past your best defenses. And here, preparation is the key to success. Backing up your files is easy and, just to be safe, you should be saving multiple copies in different locations, such as external drives or in the Cloud. That way, if a hacker comes after your data, and successfully encrypts it, you don’t need to pay – you can simply restore another copy.
But, how do you protect the personal data that isn’t on your own computer? How do you defend the data that businesses and organizations hold on you? In 2020, we’ve seen growing numbers of organizations fall victim to ransomware attacks and we’ve also seen the impact it can have on both the business and its unwary customers. This could easily happen to any of us, especially if we’re not careful about who we give our data to.
The best way to keep your data safe is to make an informed and responsible decision over who you purchase from. Before engaging with a business that’s going to hold records on you, read its data policy carefully and check up on its history. Under GDPR, businesses are obliged to defend the data of their customers, but the enforcement leaves a lot of freedom for businesses to comply as they see fit, and not all of them invest the same resources in data protection. Adhering to the word of the law, can sometimes be a long way away from also adhering to the spirit of it also.
If a business has a history of data breaches or fails to mention the steps they take to protect customer information or back up their data, this should throw up a red flag. Just as you would never want to fly with a carrier that has a poor track record for safety, you shouldn’t be trusting your information to a business that has a poor track record for security. You’re not powerless to protect your data online; your choice of whom you do business with can make all the difference. Getting serious about your own data protection will force businesses to get serious about theirs, too. Otherwise, they risk losing business from concerned customers.
Mark Nutt, Senior Vice President, EMEA, Veritas Technologies