A culture of quickly paying ransomware extortionists has not only made Australian businesses high-profile targets for further attacks but risks destroying corporate reputations through the direct funding of organised crime, security experts have warned as ransomware volumes continue to pummel unprepared businesses. Many companies are well aware that they remain unprepared to deal with security compromises, with one recent survey finding that 40 percent of Australian IT decision-makers felt unprepared to deal with malicious attacks even though 55 percent had experienced an email hack or breach – well ahead of the levels in other countries.
That lack of preparedness typically surfaces in problematic ways as often-small businesses find themselves locked out of their files with current backups, or no clear way of restoring from whatever backups they do have. Yet instead of improving their proactive defences, many are paying ransoms straight away – increasingly considering them a cost of doing business.
And while it may seem like a straightforward cost-benefit business decision, this approach is raising all kinds of new questions. “One of the reasons Australia has become the #1 target worldwide is that the Australian market is paying for every single attack,” says Guy Eilon, ANZ general manager and senior manager with security firm Forcepoint.
“If you were an attacker and were attacking someone who was paying you to release his environment, you would keep attacking him again and again.” A recent analysis by Australian research firm IBRS noted that while paying ransoms is the quickest and easiest way to recover files – and that ransomware extortionists are generally keeping their word to unlock files after payment – companies may find that the payment of such people goes directly against the established corporate brand ethos.
“”The decision to pay, or not, should not be based on the equation of 'which is cheaper, the ransom or the cost of security?',” analyst James Turner wrote. “Management's decision should be driven by the question, “are we prepared to hand money to organised crime?'” “When executives consider that their choice to pay a ransom may directly help fund the illegal drugs trade and sex trafficking, the only morally defensible option is to not pay, and prepare accordingly. For organisations that are keen to maintain a brand of trustworthiness and corporate social responsibility, it should be a simple decision to make.”
The importance of trust and ethical conduct has been underscored by recent arguments that businesses need to view security as a way of building and maintaining trust with their customers; compromising this trust can lead to significant consequences and the imperative is therefore to do whatever is necessary to maintain it.
Trust may seem like a distant concept for a small business that has been locked out of their essential systems, however, and taking the moral high ground can be a difficult if not impossible choice. This is why Turner advises that it is “vital” to plan for the handling of “foreseeable” ransomware attacks well before they happen – so that ethical decisions are not made incorrectly in the heat of the moment when files have already been locked by errant ransomware.
“The time to be having a discussion about whether an organisation is prepared to pay ransom, or not, is not in the middle of a successful attack,” Turner writes. Devices with little or no valuable information can be wiped with little to no impact, he says, while more-important data can be protected using a business impact assessment backed by appropriate technical controls to prevent, or minimise the impact of, an attack.
Such decisions must be made at the highest levels of the organisation – ideally at board level, Turner says: “It is only with the clarity of this executive decision... that an organisation will have the will to commit to maintenance of technical hygiene and implementation of appropriate controls. It is imperative that business leaders understand why they are committing to this.”