A third of security professionals surveyed by ThreatTrack Security said they would pay cyber attackers in order to recover stolen data and 23 percent said companies should create a piggy bank for such a need.
Yes, that means 70 percent said they would not negotiate with hackers but that is still a startling number. What is even more telling is the fact that 55 percent of respondents who were already a victim of cyber extortionists would be willing to talk money to get data back.
Is paying up the best tactic? Could it actually prevent future losses, such as those associated with business interruptions–or even losses associated with litigation? Could it prevent embarrassment? (*coughing* Sony Pictures!)
“While revulsion to negotiating with cybercriminals is predominant in the cybersecurity industry, one-third of its members believe recovering stolen or encrypted data trumps principle,” ThreatTrack said.
It is a very interesting topic and one with precedent in the insurance industry in the kidnap & ransom market. Insureds might pay ransom–for a kidnapped executive, perhaps– and then report the loss and file a claim to be reimbursed. It’s a slippery slope, of course. Coverage for ransom is kept quiet. Very quiet. And for obvious reasons. Employees could take advantage — and kidnappers, knowing the likelihood of getting paid could increase if the kidnapped is covered by a policy, might be more prone to commit the crime.
The difficulty in robbing a bank is not getting the money. It’s getting away. Banks, after all, are insured for this kind of thing.
This gets more complicated when the “robber” is a cyber extortionist operating from his “getaway” from the start.
However, the thought of paying cyber criminals for a safe return of all data may still have its advantages. Apparently, the practice could be more widespread. When security pros were asked if they thought other organizations had paid cyber ransoms, 86 percent said yes.
Sony Pictures was sent a “ransom note” of sorts. In hindsight, would it have done something different, like pay extortionists? No emails leaked. No employee data or medical records posted for all to see. Would they pay? Would they still pay if they knew for certain the money was going to North Korea?
This may be why 44 percent of respondents favor notifying the government of a cyber extortion attempt. Even more surprising to ThreatTrack, it said, was that 30 percent thought government should be notified and granted full access to corporate networks.