Cyber experts: firms should take a position on ransoms

There are pros and cons to paying a ransom and a firm’s decision should be included in its cybersecurity policy.

A clause stating whether a private fund firm will pay up in the event of a ransomware attack should be included in its cybersecurity policy, according to experts.

Making the decision when not under attack will make it easier to mobilize the incident response plan should the worst happen, Brian Hussey, vice-president of cyber threat detection and response at cybersecurity consultancy Trustwave, told pfm.

“If [you decide to pay the ransom], set up a Bitcoin purse. This isn’t something you want to be doing when the clock is ticking,” he said.

Whether or not to pay the ransom is a decision only a firm can make, but a second expert says there is no question that the ransom should be paid.

“It’s a legitimate option in risk management. Statistically speaking, most firms will be able to recover their data, and paying the ransom is, in most cases, the simplest, cheapest and easiest way to resolve the situation,” Israel Barak, chief information and security officer at cybersecurity consultancy Cybereason, told pfm.

Ransom demands will generally be proportionate to the size of a firm, with attackers profiling their targets and setting the cost accordingly.

A home user can expect to pay between $500-$1,000, a small business anywhere from $1,000-$10,000 and a large business between $100,000-$150,000, Barak said.

But there are cons to paying a ransom. For example, a firm could pay the ransom but still not get its data back. There’s also a view that paying the ransom is paying into the criminal system, Hussey said.

A lawyer shared this view, adding that the incidence of ransomware attack is likely to continue growing as hackers become more confident and victims pay out.

“[A private fund firm] may receive an email from an attacker demanding payment in exchange for the return of data. Unless payment is received the hacker may post your data (say your limited partner information which may include highly confidential information) on a public website so everyone can see it,” Paul Ferrillo, counsel in Weil’s corporate department, said.

Faced with reputational issues, the firm may decide to pay the ransom.

“Of course, this is fine until three months later when the attacker comes back, steals further information and then doubles or triples the ransom,” Ferrillo said.