I agree with the author’s solution to organizations of protection and resilience and that paying ultimately hurts everyone. If everyone refused to pay, we may see these types of attacks diminish.
The challenge to cyber security professionals will always be the convincing senior leadership to understand why not paying is better in the long run.
Having that conversation in the moment is too late. There needs to be a cyber attack response plan communicated and approved before disaster strikes.
Even so, there will always be the friction of cost. Senior leaders will weigh the cost of paying to the cost of downtime/repair and the social stigma if your company provides a service to customers. If your original argument isn’t strong enough, cost will win.
One more point is paying is also a systemic issue. Cyber insurance is becoming popular for business. What we have seen with some insurers, their solution for ransomware is coverage to pay the ransom, perpetuating the problem.
Good point about the cyber-insurance aspect of things perpetuating the problem.
I don’t have hard data but I believe this will be a thing of the past soon enough. With ransomware being so common an issue now & the requirements to obtain said insurance getting harder to meet, I could see that not being a viable or cost-effective solution to restoring service.
I hope you’re right that it does phase out. Here is evidence that having cyber insurance makes you more of a target.
DS: Do your operators target organizations that have cyber insurance?
UNK: Yes, this is one of the tastiest morsels. Especially to hack the insurers first—to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.
I agree with the author’s solution to organizations of protection and resilience and that paying ultimately hurts everyone. If everyone refused to pay, we may see these types of attacks diminish.
The challenge to cyber security professionals will always be the convincing senior leadership to understand why not paying is better in the long run.
Having that conversation in the moment is too late. There needs to be a cyber attack response plan communicated and approved before disaster strikes.
Even so, there will always be the friction of cost. Senior leaders will weigh the cost of paying to the cost of downtime/repair and the social stigma if your company provides a service to customers. If your original argument isn’t strong enough, cost will win.
One more point is paying is also a systemic issue. Cyber insurance is becoming popular for business. What we have seen with some insurers, their solution for ransomware is coverage to pay the ransom, perpetuating the problem.
Good point about the cyber-insurance aspect of things perpetuating the problem.
I don’t have hard data but I believe this will be a thing of the past soon enough. With ransomware being so common an issue now & the requirements to obtain said insurance getting harder to meet, I could see that not being a viable or cost-effective solution to restoring service.
I hope you’re right that it does phase out. Here is evidence that having cyber insurance makes you more of a target.
DS: Do your operators target organizations that have cyber insurance?
UNK: Yes, this is one of the tastiest morsels. Especially to hack the insurers first—to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.
Interview
That is an excellent interview … Thanks for sharing.
That certainly adds to the whole problem with payouts.