A recent poll of 250 security professionals in the U.S. found that most – but not all – respondents would refuse to negotiate with cybercriminals in an attempt to recover stolen or encrypted data.
While 70 percent of professionals said they woudn't pay cyber extortionists, the remaining 30 percent admitted they would. ThreatTrack Security, a firm that helps organizations identify and mitigate advanced persistent threats (APTs), and targeted and sophisticated malware attacks, commissioned the survey which was conducted by Opinion Matters and published Tuesday.
The study, which polled security practitioners from mid-market enterprises (organizations with 500 to 2,500 employees) also found that “respondents in organizations already targeted by such schemes (38 percent of all respondents) are far more willing to play ball.”
Among respondents already targeted, 43 percent said that their companies should set aside funds for negotiating with cybercriminals who steal, encrypt or threaten to sell their data, the report said. Respondents at larger companies (2,000 or more employees) were more open to making deals with cybercriminals to retrieve data, however.
“The sentiment against negotiating with cyber extortionists was stronger at smaller companies," where, according to 78 percent of respondents, they wouldn't negotiate,” the report said. “Respondents at companies with 2,000 to 2,500 employees took a softer stance"- only 42 percent said they would negotiate.
Of note, organizations in industries that were heavily targeted by cybercriminals, such as the healthcare and financial services sectors, were more resolute in their decision not to bargain with attackers.
"Currently, however, there is strong opposition, which grows stronger within industries most often targeted by cybercriminals - healthcare and financial services," the study revealed, noting that 92 percent of those surveyed in healthcare and 80 percent in the financial services sectors "said they wouldn't negotiate.”