Photographee.eu - Fotolia
Our organization is developing a short policy statement to deal with future ransomware outbreaks. However, a key point we disagree on internally is that some people believe it's okay to pay a ransom for data depending on the cost/value equation, while others think paying the ransom is like negotiating with a terrorist and should just never be done. What approach should we take?
Ransomware is surreptitious software that overtly takes control of a computer's hard drive and encrypts it. It holds the information hostage until a ransom is paid for release of the decryption key. Payment of the ransom is often made in bitcoin, which is anonymous and untraceable. The ransom can be -- and typically is -- paid if the information or computer taken hostage is critical to the operation of a business or victim. The underlying question is how this could have happened and what recourse is available. On June 5, 2014, Cisco foretold of a rash of ransomware attacks and this is starting to come to pass.
Companies falling victim to ransomware and that wind up paying the ransom, tend to either have poor backups or insufficient controls; or, if both systems are working effectively but still succumb to more sophisticated attacks, there are greater concerns regarding reputational or financial risks if the incident goes public.
Should a company pay ransom for information or computers taken hostage? Ethically speaking, the answer is no. But in a practical sense, given the criticality of the asset, it might have to. If not paying to remove ransomware has an adverse effect on a business' viability, then there are few choices. If the organization can accept a loss in business, then the ransom should not be paid and attention should be focused on preventing reoccurrence.
There are several steps organizations can take to prepare for a ransomware attack, including backing up critical data daily, running incrementals to make the backup process less cumbersome and time consuming, ensuring strong network security, verifying and periodically testing malware detection and application controls and also deploying comprehensive monitoring processes to detect unauthorized access attempts and unknown or unexpected changes in environments. The key is to have sufficient controls and recovery processes in place to render a hostage situation merely an inconvenience and not a critical business threat.
Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
Mike Chapple explains how to deal with advanced encryption algorithms in ransomware.
Dig Deeper on Information Security Incident Response-Information
Related Q&A from Mike O. Villegas
As ransomware continues to surge, companies are faced with decisions to report the attacks, pay the ransom or both. Experts weigh in on the options ... Continue Reading
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading