Industry experts debate whether organizations should or should not pay a cyber ransom to miscreants.
Jeff Bardin, chief intelligence officer, Treadstone 71
While many in the security industry believe one should never pay a hacker regardless of the circumstances, it's wrong to view cyber extortion as a black-and-white issue. Even the most well-prepared company can still be caught offguard by a hacker.
For example, hackers will often target companies during the least optimal time – such as the holiday selling season, when the financial risk is greatest and the ransom is small money in comparison.
As repugnant as it is, in some cases, paying a ransom may be the only way to get back critical data or resources, or to resume normal business operations. By paying the ransom, a company can buy itself a brief reprieve so that it can fix the underlying vulnerability.
Ransom payments should only be viewed as a last resort, a short-term solution: Expect the hackers to come at you again – and their incursion may launch from anywhere on the planet – so use that time to harden your defenses and repel the next attack.
Dave Chronister, founder, Parameter Security
Cyber extortion is a growing problem for businesses, but the last thing anyone should do is pay the hackers. Once they realize they have a compliant victim, the hackers will come back again and again – and there's no guarantee they'll even stop in the first place. There could also be reputational damage if the public finds out you paid, and possibly even legal and regulatory consequences. Companies should disregard this option completely – under no circumstances should you pay. Instead, you must take the proper steps ahead of time to mitigate the potential damage.
Every company should have a data backup plan in place – this will largely neutralize the ransomware threat. Segment networks to limit the spread of infections. Perform distributed denial-of-service (DDoS) testing and mitigation training and have cloud backups in place. Conduct regular security audits and test your company against specific extortion scenarios. By preparing for these attacks ahead of time and layering your defenses, companies can effectively mitigate extortion-related threats.