The world is averaging 4,000 ransomware attacks per day, according to an interagency report from the U.S. government. Odds are high that your business will someday have to answer the question: Should we pay the ransomware demand?
Before ruminating on that for too long, a more important question is: Does your organization have a business continuity and disaster recovery plan that includes regular backups?
If the answer is “no,” then your business should consider paying a ransom demand. Without a recent backup and plan for recovery, cybercriminals can lock up data and systems for days, weeks, months. Even just two days without access to applications and data can significantly reduce employee productivity, cause customers to seek out competitors, and result in damage to brand reputation.
3 reasons to not pay the ransom
Recent statistics show that the majority of companies choose to pay when they suffer an attack. For example, in a survey conducted among 300 organizations, 64% had been hit by ransomware and 83% paid the demand.
There are certainly factors that justify that decision, including the lack of backups. Also, some companies simply cannot afford any amount of downtime. There are considerable costs associated with lost productivity and customer revenues while security teams fervently work to restore data and bring systems back online. It can be just as costly to contain, recover and remediate the effects of a ransomware attack as to pay off the cybercriminals.
So, why not pay the ransom? Here are three reasons:
- Even when companies elect to pay ransom demands, they often do not recover all their data. A Sophos study released last year found that only 8% of organizations had all their data returned to them after paying the ransom, and 29% were given back only half of their data.
- Even if all data is recovered from the cybercriminals, there’s a chance it will be encrypted or exposed again. Hackers make backups, too, and sell stolen data on the dark web or release it to the public.
- Adding the ransomware payment to recovery time can double the costs. Organizations may need to hire an outside party to restore systems. Even if in-house security teams have the skills to contain, remediate, and recover after an attack, their efforts will be time consuming. Meanwhile, the rest of the workforce is unproductive, and there’s a good chance customers will seek competitors rather than wait out recovery efforts.
Being proactive goes a long way
If there is an optimistic view to ransomware, it includes being proactive. There are several steps toward ensuring your organization can quickly recover from a ransomware attack:
- Establish a business continuity and disaster recovery plan, and invest in ongoing data backups and protection.
- Have an incident response plan. Like a checklist, this plan includes step-by-step actions to take when a ransomware event occurs. It involves everyone from information security and business stakeholders to employees and partners. Practice it!
- Know who to contact in the event of a ransomware attack. For example, the list should include local law enforcement and legal advisors, who can guide business leaders around privacy concerns should sensitive data get exposed or held to ransom. It’s also likely that the event will make the local or even national news, so be prepared for unwanted publicity.
We believe that organizations willing to invest in data protection and security upfront are well positioned to quickly recover from a ransomware attack. In our view, the only reason to pay the demand is when your company hasn’t been proactive.
Need help building your BCDR or incident response plan? RKON offers virtual chief information security advisory services. Get more info here.