Whilst many believe prevention of security breaches provide the best course of action there are still no guarantees that organizations aren’t still vulnerable to ransomware attacks even if they do have a high level of security.
The arrival of General Data Protection Regulation (GDPR) has prompted more companies who are victims of ransomeware attacks to consider paying up rather than face larger penalties from the ICO.
Last September, Europol, the EU’s policing agency said that GDPR could result in a rise in cyber extortion in its fifth Internet Organized Crime Threat Assessment report. This stated: “Hacked companies may rather pay a smaller ransom to a hacker for non-disclosure than the steep fine imposed by their competent authority.”
It’s said some large firms have stashes of bitcoin set aside in case they are victims of ransomware, which is a tactic many risk managers would feel far from comfortable with.
Fines are alarmingly high
Fines for breaching GDPR regulations can potentially be huge. Breaches of specific articles of the regulation or if there is infringement of an organization’s obligations can result in fines of up to €10m, or 2% of annual global turnover, whichever is higher. If the breach is found to have infringed an individual’s privacy rights, the fine could be up to €20m or 4% of annual global turnover, whichever is higher.
Meanwhile, in December, research from security firm Sophos found almost half (47%) of UK IT directors would “definitely” be willing to pay a ransom if hackers stole their company data, rather than report the breach and pay a larger penalty. A further 30% said they would “possibly” consider paying if the ransom was lower than the official penalty and only one in five (18%) said they would completely rule out paying criminals.
More small firms say no
It found small businesses, with less than 250 employees (54%), were least likely to consider paying a ransomware demand compared to just 11% of those with 500 to 750 employees.
In May, another cyber security firm, CrowdStrike, warned more would choose to pay up and according to its chief executive George Kurtz:
“If you have a 4% fine on your overall top-line revenue, or you have a ransomware that you can pay off and maybe quietly make it go away, I think there’s going to be an interesting dynamic in the amount that the market values paying off enterprise ransomware.”
Dangers in paying
But, the accepted advice is always never to pay, since the business could be left even more exposed and subject to further attacks in addition to not being provided with a key to unlock the data.
Last year, research from Imperva CyberEdge Group found 55% of respondents were compromised by ransomware in 2017 and of those who paid up, 49% were able to recover their data, meaning it was decrypted, while 51% did not.
Paying up also does not ensure privacy. As the well-documented Uber breach of 2016 shows, when the firm paid some $100,000 (£75,000) to hackers, details still came to light. In the US, the company was hit with a fine of $148 million in September for failing to notify its drivers about the breach and in November, the business’s European operations were fined £385,000.
Of course, the decision to pay up has been made before and will continue to occur if the business sees this as the only way to keep trading. It can be an extremely difficult decision and if ever there is a need to have the issue high on the agenda, it is now.
Operational Resilience – a forward thinking approach
Operational Resilience has become a key area of development for many organizations, who wish to focus more on reducing the impact of ransomware attacks rather than just relying on prevention measures alone. The strategy in essence ensures that companies can continue to deliver critical services to their customers and clients, when major incidents occur.
Such an approach requires a failure-centric mindset, assuming that essentially all incidents ‘will’ rather than ‘might’ occur, however, in doing so it allows for organizations to develop stronger contingencies which, as stated, can help to lessen the impact that ransomware attacks can have on companies, while also helping to potentially avoid large fines from the ICO.
The FCA believe that Operational Resilience should be high on the agenda for senior managers and board members, with regulators wanting to see firms improve their preparedness to withstand, absorb and recover from disruptive incidents. The challenge comes in implementing such practices into already established processes and strategy.