Skip to main content

The risky business of paying ransoms

(Image credit: Image Credit: WK1003Mike / Shutterstock )

While companies are contending with a variety of malware types, ransomware continues to be a top concern for IT and security teams. According to our recently released Data Exposure Report (opens in new tab), ransomware leads the list of security concerns keeping business and security leaders up at night, followed closely by phishing/whaling attacks, advanced persistent threats and malicious insider threats.

Indeed, ransomware is such a major problem that nearly three-quarters (73 per cent) of CISOs surveyed for the report admitted to stockpiling cryptocurrency to pay a ransom in the event of an attack. And nearly four out of five of those respondents (79 per cent) say they’ve actually paid a ransom in the last year.

While the data security practitioners are certainly aware of the practice of paying cyber ransoms, the sheer number of companies doing it is surprising. The truth is, a data security strategy that includes stockpiling cryptocurrency and paying cyber ransoms as a contingency isn’t a sound strategy. It indicates a bigger problem within an organisation in an increasingly complex threat landscape.

Complicated situation

To be fair, wanting to pay a cyber ransom to help mitigate the crisis of a data breach is understandable. With the increasing digitisation of information, much of a company’s value is tied up in precious IP, mostly in the form of data. That data is increasingly vulnerable to malware attack for the following reasons:

  • Despite companies spending nearly $100 billion on data security strategies and tools, malware attacks continue. Companies are trying to do all the right things, such as investing in preventative security perimeters and creating data security policies for employees, but it’s not working.
  • Even the strongest data security policies and perimeters are no match for the reality of human behaviour. Humans are both a company’s biggest asset and biggest liability when it comes to data security and IP. Our report revealed an undeniable disregard for data security best practices, with the C-suite engaging in practices like saving IP outside of company storage, downloading unapproved software, clicking on suspect links and even taking IP with them from former employers. The biggest risk to organisations is people trying to do their work the way they want with a disregard for policy and rules, 
  • IT can’t protect what it can’t see. Without full visibility to employee endpoints, IT can’t protect the valuable company data that lives there. Yet, they’re expected to. According to the Data Exposure Report, 73 per cent of security and IT leaders believe there is some data in their company that only exists on employee endpoints. Yet without the right tools, it’s impossible for them to protect that data. And this is valuable data. Losing all corporate data on employee endpoints would be business-destroying or seriously disruptive, according to 71 per cent of the security and IT leaders surveyed for the report.

Far-reaching consequences

It makes sense that a company faced with valuable endpoint data being held ransom —potentially putting business at a virtual standstill — would want to take the path of (seeming) least resistance: just pay the ransom and get the data back. However, if companies are going to engage in this practice, they should be aware of the ramifications:

  • Paying cyber ransoms is dangerous. Not only are you essentially funding criminal organisations, there’s no guarantee that you’ll actually get your data back. Paying the ransom could also result in your business being labelled a “soft target,” increasing the chances that a hacker will extort still more money in the future.
  • If they do release your data, cybercriminals could in the process infect your system with a secondary malware. One thing we’re seeing is the increasing use of cryptomining malware, which can work in the background undetected, sapping your company of CPUs.
  • It’s completely unnecessary. Companies that are using cryptocurrency stockpiling and ransom payment as their contingency plan don’t have to do it. The fact is, strategies and tools exist that can negate the effects of ransomware, even after an infection.

A better way

The best way for companies to combat ransomware is to refine their data security strategy to become more resilient in the face of growing attacks. Companies need to come to terms with the following realities:

  • Human behaviour is inevitably going to create data security vulnerabilities. That doesn’t mean you shouldn’t have strong and clear data security policies, and that you shouldn’t enforce them. It just means that people will thwart your best efforts, and your prevention-only strategy is no longer enough to keep ransomware out.
  • Visibility over your data is critical, including that which only lives on endpoints. There are security tools that provide visibility to where data lives and moves — whether that be across endpoints or the cloud. Companies must include these tools in their data security toolboxes.

Now it’s up to them to do it.

Data security strategies must expand to include data recovery as well as prevention. There is no doubt that prevention plays a critical role in an effective security strategy. But companies must also prepare themselves to respond quickly if and when data loss strikes. Luckily, tools that continually back up data even when endpoints are offline can provide companies with the most recent version of data before the malware infection. That means that, instead of paying a ransom to get their data back, companies can simply restore their data.

While many companies might rely on cryptocurrency stockpiling and ransom payment as a contingency plan in case of a ransomware, they also know they need to evolve their data security strategies. According to our report, 72 per cent of CISOs agree that their company must improve their ability to recover from a breach in the next year. And three-quarters of CISOs believe their security strategies need to change from prevention-only to prevention- and recovery-driven security.

Richard Agnew, VP EMEA, Code42 (opens in new tab)
Image Credit:  WK1003Mike / Shutterstock 

Richard brings a broad base of sales and management experience to Code42, gained through years leading regional teams within internationally recognized brands such as Veeam, NetApp, and Dell.