To pay or not to pay? This isn’t the only question
Because a ransomware incident is not a reportable event in most jurisdictions, there are few statistics on how many organizations pay the ransom, although this is changing. Some jurisdictions, such as Australia and the US, are introducing or enacting legislation that makes reporting mandatory if ransoms are paid. Anecdotally, based on our experience with clients, we find that most organizations do pay because in many cases, it’s cheaper to pay than to recover.
However, paying is no guarantee that an organization will fully recover its data or that the attack will be a one-off event. Oftentimes, cyber attackers encrypt the organization’s systems in segments, requiring the organization to pay for individual keys that unlock each segment, not all of which may work.
Assume you will be attacked and be prepared to act
The first rule in building ransomware-resilient operations is to assume you will be attacked. It’s not a matter of if; it’s a matter of when. Further, having detection and response in place is key to disrupting and preventing ransomware attacks.
If you don’t have a policy or processes in place to act, start now. Test response processes and determine what your policy is for paying or not paying. Organizations tend to be binary when making this decision, but there are a number of intricacies and “what ifs” that you need to consider. For example, what if the threat actors exfiltrate data? Go after individual clients? Come back for a second extortion payment? There also needs to be a clear line of authority for crisis commanders, escalation paths for decision-making and initial decision boundary criteria that establish guardrails for handling the unique nature of a ransomware attack.
As an operational or cybersecurity leader, you will want to test the policy you develop to understand the risks and tradeoffs of the decision to pay or not to pay, who the stakeholders are, what the process will be, who will have the authority to make the decision to pay, and at what point the organization will have to disclose the attack.
Once the policy and processes are in place, as the CISO you will want to conduct, at least annually internal assessments of implemented controls to determine their effectiveness and basic maturity assessments of key controls to make certain that the organization can withstand a ransomware attack.