Contending with hostage situations is no longer something only shipping companies moving goods through pirate-infested waters must consider. With the growing threat of ransomware – malware that locks data until an enterprise pays for its decryption – businesses across industries have found themselves negotiating with criminals to release critical corporate information.
One such victim of ransomware was Hollywood Presbyterian Medical Center, a Los Angeles hospital, who recently paid $17,000 to unlock systems taken hostage by criminals. During the attack, the hospital staff reverted to paper records and diverted many high-risk patients to local hospitals. With so much of an organization’s operations dependent on their computer and internet access, it can be catastrophic if they no longer are able to reach these systems.
When data or software is inaccessible, it can slow business operations, cost a company money and damage an enterprise’s reputation. Because of this, it’s critical for business leadership to address the growing threat of ransomware as a business risk rather than a siloed IT issue.
When an incident occurs, time is critical. The longer an organization waits to respond, the longer its business functions and reputation could suffer. So it’s important that businesses create a response plan for a ransomware incident before an attack occurs, including criteria for determining whether or not to pay to unlock data. Ultimately, the choice to pay or not is a business decision that requires considerations from across the organization and must be debated and agreed upon ahead of time.
While the calculus of each business will be different, there are several steps companies should take now, before a threat occurs. Considering these factors before an attack will not only aid in response but also show customers, stakeholders and the public that the enterprise has a well-reasoned strategy for dealing with ransomware incidents.
When creating a plan and considering whether to pay ransoms, enterprises should consider the following items:
1. Back-up and Imaging of Data – With the exponential growth of corporate data, it’s difficult for enterprises to know what information they have and where it’s stored. However, this knowledge is critical to determine whether to pay a ransom. If a company has a solid backup of the data taken hostage, it may be able to revert to spinning up a new copy with backup restoration without needing to pay the criminals.
2. Importance of the Data – Organizations should take inventory of their data and systems, identifying the operational-critical pieces and then deciding how much they can spend to release the data given an attack. Determining specific criteria beforehand will make responding to a ransom request easier should an attack occur.
3. Reputational Damage – It’s never good when criminals take an organization’s data hostage, but it can be particularly bad for an organization devoted to protecting and serving communities, like law enforcement departments and hospitals. In addition to the importance of compromised data, enterprises should consider how their response to a ransomware attack will affect their reputation with customers, partners and shareholders.
4. Consider the Liability – While paying a ransom may be the easiest way to release compromised data, there’s never a guarantee that criminals will release the information – you are dealing with professional thieves, after all. But according to the FBI, most organizations that pay the ransom do get their data back. Another argument may say that paying ransoms only encourages criminals and enables them to refine their attacks. However, it’s equally possible that your organization may become a less attractive target, because the company will be more aware and harden the systems against attacks.
Once a ransom is paid and an enterprise’s data unlocked, regular business functions can resume. But it’s important for the company to address potential fallout from an attack and the company’s reaction. Enterprises should consider how best to communicate their decision to customers and their industry, engage stakeholders and strengthen security to prevent another attack.
It’s important for organizations to think through these hypotheticals before an incident rather than during an attack. Having a clear response plan to help determine whether to pay to unlock compromised data will help organizations deal with an attack rationally and come to the best possible decision.