Firms need to weigh up the costs of paying ransoms with the costs and challenges of recovering from ransomware attacks, according to an expert panel at Infosecurity Europe 2022.
Paying a ransom raises both ethical and practical questions. Paying has costs – either directly, or through the company’s cyber insurance policy – but it can cause legal and regulatory problems. In some cases firms even face sanctions, or fines under anti-money laundering laws. Paying ransoms can also cause reputational damage.
Against this, there is the time and cost of recovering data and systems, and the loss of trade during the outage. Smaller businesses can find it is easier to pay the ransom than try to recover from backups.
“We’ve all been told not to pay blackmailers and extortionists. If you do they will come back time and time again,” said Barry Coatesworth, Director - Risk, Compliance & Security, Guidehouse. “Some larger organizations can weather the storm and not pay. But SMEs can’t. If they don’t pay, they lose the business.”
Whether a business can recover depends largely on the quality of their backups, having those backups stored off site and having a clear ransomware playbook or plan. According to Kevin Jones, commercial CISO at Airbus Group, organizations need recovery time objectives, and a plan for restoring their critical applications to their own hardware or the cloud. “How do you link business processes to IT systems, and prioritize recovery?” he asked.
Firms also need to prioritize system recovery, whether they are attempting to restore from backups, or have paid a ransom and received a recovery key. Even with a recovery key, restoring data can take time. “Do you bring up the payroll system first, or the revenue generating systems?” said Camelot Group CISO David Boda. Recovery planning should also involve stakeholders, including shareholders and potentially, government.
Firms that do opt to pay should go through their cyber insurance company or a professional negotiator to agree terms, Coatesworth said. In some cases, law enforcement will handle negotiations.
Above all though, organizations need to be transparent about the incident, whether they pay or not. Communications with customers, employees and internal staff, such as account managers dealing with the supply chain, is vital. Firms should act quickly, but not hastily. “The worst thing is to hide an incident or delay disclosure too long,” Coatesworth said.