The ransomware puzzle – To pay or not to pay?
The explosion of debilitating ransomware attacks raising the enduring tension between morality and business reality.
Several business leaders are often finding themselves stuck in difficult position, asking the vexing question – should we pay up the hackers in the hope of recovering our files, or should we stick to our principles, even if it means closing shop?
The argument to pay or not pay remains highly polarised.
Those against argue that such practices bankroll and perpetuate the cyber crime industry. Furthermore, there is no guarantee that cyber criminals will provide the decryption key, even after they receive the payment. Sometimes the hackers can simply vanish with the Bitcoins.
But this argument is also a tough sell, if you consider the case of the Hollywood Presbyterian Medical Center. Back in 2016, the hospital gave in to the demands of cyber criminals who blocked access to its vital medical files and demanded 40 bitcoin ransom (equivalent to $17,000 at that time). The hospital’s move was defensible, considering doctors heavily rely on up-to-date patient records to conduct open-heart surgeries, liver transplants and several life-critical procedures.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom,” Allen Stefanek, president and chief executive of Hollywood Presbyterian justified the move.
But not every enterprise yields to the demands. In 2017, a Texas police department in the town of Cockrell Hill admitted that it lost eight years’ worth of digital evidence after refusing to pay $4000 ransom after it was hit by a ransomware attack. The police department didn’t have up to date back up files, and lost all bodycam video, some photos, some in-car video, and some police department surveillance video.
This incident, like several others, underscores the significance of the risk – cyber criminals often follow through with their threats if their demands are unheeded.
In my upcoming book, The Five Pillars of Cyber Resilience, I argue that this is much more than an IT matter – it’s a business-wide issue that strikes at the core of an enterprise’s values. It’s a matter that requires senior business officers to carefully consider and take a position earlier, rather until the enterprise is under siege.
Are there enterprises out there that would stick to their ethics and refuse to pay cyber criminals even if it means getting out of business, loosing a significant share of the market, or even worse, exposing civilians to harm?
I am keen to hear your thoughts. You don’t have to be a cyber security professional; this issue affects everyone of us.