To Pay or Not to Pay: Big Question When Hit with Ransomware
This is likely the toughest decision a CISO has to make in their entire career.
![business questions business questions](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt8ea374f003a25f66/652429f0173989cfa7e58d22/5-Business-Questions.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Malwarebytes‘ Brian Thomas said whether to pay the ransom is “something we leave up to the SMBs.”
“I’ll harken back to the percentage — 43% of SMBs don’t even have a plan,” he said. “And that $4.2 million number for a ransomware attack, it’s something that they just can’t afford, especially in the SMB market. So it’s our prerogative to make sure that if they ever are in that situation, that difficult situation to pay, that we have the solution set and we have the services to help them.”
Fortinet’s Jon Bove said when it comes to the question of whether to pay the ransom, he would encourage all customers and partners to build a broad security posture that allows them to protect and respond.
Last week, Fortinet rolled out numerous Engage Partner Program updates.
Proofpoint’s Joe Sykora said paying or not paying is going to depend on the size of the organization and what they can afford, and how soon they can get back online.
“That’s what’s going to determine it,” he said. “Some industries do not have the option, like if I’m a health care provider and it’s a life or death situation. Most of the time, at least what we’ve seen across our customer bases is, yes, they have. We just had a study where we did a lot of research with people who initially made payments and got the data back, those who made second payments and then also people who didn’t. On the business side of it, is there is a cost for being down? Then it becomes a business decision. And I think that’s the way a lot of C-levels view it on the end user side. So it’s going to depend on the situation. There are a lot of variables to it.”
Sophos‘ Scott Barlow said he tells partners to have a disaster recovery plan.
“A lot of these partners, and with some of the more recent breaches that happened, their disaster recovery plans were on the machines that were encrypted,” he said. “So have a disaster recovery plan and have it in a place that’s printed out, not encrypted. Have good layers of defense in place with backups that you can test and validate on a daily or weekly basis. There are services that do that. And be prepared, because it’s not ‘if’ it’s going to be, but when. Usually it’s the machine that you forget to install the agent on. So I think MSPs and partners in general need to look closer at their security posture internally and make sure that everything is protected and then across their entire customer base.”
NTT Application Security‘s Matt Lantinga said how you react to a ransomware attack is important.
“The saying that you always hear is ‘it’s not if, it’s when’ and it’s how you react,” he said. “What systems do you have set up? How quickly do you realize it’s happening? What do you have to recover from it? And depending on that, is whether you should pay. If you’re not protected and they truly get ownership, you have to look at what is this going to cost us if we don’t do this. Is it more expensive to pay or is it more expensive to suffer through and try to recover? And it’s going to be different with everybody. It’s going to be a lesson learned for those that are having to pay to make sure that they don’t have to pay again. In the end, it really depends on the situation. It really depends on the cost. And I think with almost every decision that a business makes, it’s going to be dollars and cents. ‘What makes more sense for our business? What is more advantageous for us, to pay the ransom or to work our way out of a situation?’ So there’s not a one-size-fits-all, that’s for sure.”
Trellix’s Kristi Houssiere said whether to pay is probably the toughest decision CISOs will have to make in their career.
“No one wants to pay,” she said. “No one would recommend it because you’re just propagating the problem. But you have to look at the risk. If you’re a hospital and the devices are somewhat maintaining a human life, you have to make the hard decision. But bottom line is, have a plan, have a recovery plan, a plan with protocols, and work the plan. Actually have a plan and test the plan on a regular basis, but also work with legal and a law enforcement team. Work with the FBI, work with people that know how to negotiate with these people. There are third parties that help with that. There are third parties that help with cryptocurrency. Sometimes you can get the payment back and make money because the crypto has gone up. Educate your employees and update the system, backup plans, updates, make sure they can be restored.”
Netenrich‘s Justin Crotty said paying depends on what was compromised.
“Not every asset is the same,” he said. “Not every risk is the same. So it depends on what was compromised and your recoverability from it. I think those are two factors that go into it. Can you recover? If you believe you can, how critical were the assets that were compromised? Was it everything or something less than everything? It’s a hard decision. Everybody would say ‘don’t pay.’ But the reality is sometimes businesses can’t afford not to. It’s tough.”
Netenrich‘s Justin Crotty said paying depends on what was compromised.
“Not every asset is the same,” he said. “Not every risk is the same. So it depends on what was compromised and your recoverability from it. I think those are two factors that go into it. Can you recover? If you believe you can, how critical were the assets that were compromised? Was it everything or something less than everything? It’s a hard decision. Everybody would say ‘don’t pay.’ But the reality is sometimes businesses can’t afford not to. It’s tough.”
To pay or not to pay? That’s the question facing every organization that’s hit with ransomware.
Their data has been encrypted and their business may be at a standstill. Then the inevitable ransom demand arrives.
Do you pay or do you refuse in the hopes of being able to recover and resume business with as little damage as possible? With near-constant ransomware attacks, organizations globally face that question around the clock.
Our cybersecurity roundtable at the 2022 Channel Partners Conference and Expo addressed this topic.
This is the fourth in a series of articles highlighting various topics addressed by the roundtable. The first was on partner stress from the M&A frenzy. The second was on threats and issues beyond ransomware, and the third discussed unprecedented times for cybersecurity channel partners.
Panelists included:
Scott Barlow, Sophos‘ vice president of global MSP and cloud alliances.
Jon Bove, Fortinet’s vice president of channel sales.
Justin Crotty, Netenrich‘s senior vice president of channels.
Kristi Houssiere, Trellix‘s senior director of global channel strategy and operations.
Matt Lantinga, NTT Application Security‘s vice president of sales and global strategic accounts.
Joe Sykora, Proofpoint’s senior vice president of worldwide channels and partner sales.
Brian Thomas, Malwarebytes’ vice president of worldwide MSP and channel programs.
See our slideshow above for more from the roundtable on to pay or not to pay ransom.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like