Plain and simple, data ransoming is on the rise.
Most of us never consider the possibility that we may become victims of a ransom scenario in our lifetimes. Cyber attacks are a relatively new threat that is evolving rapidly. As this growth continues, more and more parties find themselves at the receiving end of a ransom message. Their organizational or personal data is held hostage while a clock ticks down to fuel their anxiety.
Traditionally, negotiation with any hostage-taker has been considered a dead loss. Common wisdom suggests it willonly embolden bad actors and increase the number of incidents. There is a natural tendency to extend this philosophy to data ransoming as well; but with the increasing number of threats and the extraordinary cost of downtimein an online world, we can no longer afford to take this hardline stance.
Contrary to our predisposed reaction, paying out against ransomware must be considered alongside the other options available amid a data breach incident.
Like any other business decision, the issue of whether to pay is a risk calculus with several variables to inform your approach. In addition to the fiscal implications, there is also an important ethical argument to consider. Nonetheless, reviewing all available options should be a part of any risk-related decision.
This document may not answer the “Should I pay?” question for your specific organization or scenario, but it provides guidelines that allow you to assess your relative risk and choose more wisely.
History & Today
“Do NOT negotiate with terrorists.”
We have heard this mantra from politicians and law enforcement for decades, seen it depicted in pop media, and generally accept it as truth.
This logic developed in an era where international terrorism was extraordinarily risky to both the terrorist and the target. Hijacking an airliner required significant investment in planning, training, and coordination on the part of the terrorist. The impact on the target and resulting outrage was even greater (Baum, 2016).
In the modern world of cybersecurity and asymmetric threats, however, these rules may no longer apply.
Unlike the hostage scenarios that spawned this logic, a lone hacker in a bedroom in Ukraine can upend the online business of millions of people transacting billions of dollars. An internet connection, a laptop, a copy of the most recentfreeware phishing tools, and an afternoon are the only investments necessary to cause devastation. It can be argued that never in human history has a single person had such capacity to dramatically disrupt the lives of so many others with relatively minimal personal risk.