Huge numbers of organisations fall prey to ransomware each year, with a significant number of these businesses caving in to the ransom demands. It’s a problem that both cyber security officials and the wider industry are grappling with, as they race to establish why businesses continue to pay ransoms, and how to fix this problem.
Indeed, despite the warnings, best practice, publicity campaigns and official advice, we know businesses infected with ransomware still frequently pay up. In just one survey of many, Databarracks found that in response to a ransomware attack, 44% of organisations questioned admitted to paying up. Just 34% recovered from backups while a further 22% used ransomware decryption tools.
And yet, paying up is expensive. Not only is the upfront payment an unexpected drain on cash flow, but there are also potentially additional financial consequences. These include the loss of customers who may feel their data isn’t protected, the downtime affecting their own bottom line, as well as broader reputational damage.
Myriad factors influence this puzzle, including the role of human psychology, a fundamental misunderstanding of what paying the ransom actually achieves, and potentially poor focus from an organisation’s board.
The psychology of ransomware
As with many things in life, psychological factors play a huge part. Motivation is crucial, and, for businesses, motivation has to be both personal and organisational. “If the board or leadership team decide to be firm and aggressive, they’ll take the necessary steps to secure their cyber realm,” Ruchi Goyal, Lecturer in International Business and Strategy at Henley Business School tells IT Pro.
That’s certainly true, but the psychology of why we act the way we do individually and collectively as a board, including around cyber security, needs a little unpacking.
Lianne Potter is an award-winning cyber anthropologist and Head of Security Operations at a major retailer. She tells IT Pro: “Humans are unique because of their ability to imagine scenarios and a future that has not yet happened. Despite this amazing skill we are very much driven by our need to seek out immediate rewards and benefits.”
This, she says, means “even though we are very cognizant that we are at risk of being a victim of ransomware, if we don’t take the necessary steps to prevent it, we are drawn to the path of least resistance”. This centres around the notion we might just be “lucky enough” to avoid being hit by ransomware.
This being the case, the necessary steps need to be made clear to us and the way forward marked out. This is a board-level responsibility.
Does paying get your data back?
It’s important to understand cyber crime is profit-driven. Ransomware operators need victim organisations to pay up – and will go where they can get profit most easily. That means paying up might not be the end of things.
As Martin Lee, scientist turned threat researcher and technical lead for Cisco’s Talos group puts it: “Paying up is no guarantee of a successful decryption of files, but it is a guarantee that as a profitable mark you will attract further attacks.”
Kevin Curran, senior IEEE member and professor of cybersecurity at Ulster University fleshes this out further. “Hackers are devious,” he explains. “Even if a ransom is paid, they inevitably retain the data. Once a data breach occurs, one must assume that all data is leaked or sold on to third parties.”
There’s also the rise of trends like double extortion ransomware – and even triple extortion ransomware. Things can get muddied when hackers threaten to release sensitive data, or go even further, if further payments aren’t made. Costs can begin adding up really quickly.
Why the c suite must step up
If paying up doesn’t necessarily mean data is retrieved, there’s another approach that can be taken to ensuring a strong approach to cyber security.
“Security should be seen as part of your value and quality offering,” Potter says. “You wouldn’t ship out buggy code because your customers would complain and maybe leave. Security needs to sell its purpose in the same way, in a way that the business can swallow.”
Enabling secure hybrid learning in schools
The importance of creating security awareness among key players
This point helps make the case that the key, in practical terms, is to put security front and centre of everything a business does. This means the board, and especially the CEO, CFO and CIO need keep security at the top of their minds in every decision they make. It isn’t something to be cut back on, however tempting. As Lee says: “Security isn’t an add-on that should be ‘beefed up’ or ‘toned down’ on a whim, it is an integral part of doing business.”
“Every security professional that I have ever spoken with wants to do more,” says David Mahdi, chief strategy officer and CISO advisor at Sectigo, and former VP Analyst at Gartner.
It’s up to the board to give them the tools they need, though, and generate buy-in across the organisation. So what does that mean for the CFO, CIO and CEO?
Goyal’s key advice – suitable for the CIO to own – is to “get your governing board to incorporate cyber security as a standing agenda item”. She adds the c suite needs to regularly revisit cyber security mechanisms, practices and strategies, as this is the best hope for companies looking to deal with ransomware attacks and other breach attempts.
Lee adds the CFO should “calculate how much a successful ransomware attack against a key system would cost the business”, before considering the return on investment of various mitigation strategies against that cost.
Mahdi concludes that the CEO should focus on “technology, people and process”, and should never underestimate investing in people in addition to technology.
