Threat Management

Debate: Should you pay a cyber ransom?


Industry experts debate whether organizations should or should not pay a cyber ransom to miscreants.


Jeff Bardin, chief intelligence officer, Treadstone 71

While many in the security industry believe one should never pay a hacker regardless of the circumstances, it's wrong to view cyber extortion as a black-and-white issue. Even the most well-prepared company can still be caught offguard by a hacker. 

For example, hackers will often target companies during the least optimal time – such as the holiday selling season, when the financial risk is greatest and the ransom is small money in comparison. 

As repugnant as it is, in some cases, paying a ransom may be the only way to get back critical data or resources, or to resume normal business operations. By paying the ransom, a company can buy itself a brief reprieve so that it can fix the underlying vulnerability. 

Ransom payments should only be viewed as a last resort, a short-term solution: Expect the hackers to come at you again  – and their incursion may launch from anywhere on the planet – so use that time to harden your defenses and repel the next attack.


Dave Chronister, founder, Parameter Security

Cyber extortion is a growing problem for businesses, but the last thing anyone should do is pay the hackers. Once they realize they have a compliant victim, the hackers will come back again and again – and there's no guarantee they'll even stop in the first place. There could also be reputational damage if the public finds out you paid, and possibly even legal and regulatory consequences. Companies should disregard this option completely – under no circumstances should you pay. Instead, you must take the proper steps ahead of time to mitigate the potential damage.

Every company should have a data backup plan in place – this will largely neutralize the ransomware threat. Segment networks to limit the spread of infections. Perform distributed denial-of-service (DDoS) testing and mitigation training and have cloud backups in place. Conduct regular security audits and test your company against specific extortion scenarios. By preparing for these attacks ahead of time and layering your defenses, companies can effectively mitigate extortion-related threats.

Jeff Bardin

Jeff Bardin is the Chief Intelligence Officer for Treadstone 71 with clients on 4 continents. In 2007, Jeff received the RSA Conference award for Excellence in the Field of Security Practices. His team also won the 2007 SC Magazine Award – Best Security Team. Jeff sits or has sat on the Board of Boston Infragard, Content Raven, Journal of Law and Cyber Warfare, and Wisegate and was a founding member of the Cloud Security Alliance. Jeff served in the USAF as a cryptologic linguist and in the US Army / US Army National Guard as an armor officer, armored scout platoon leader. Mr. Bardin has extensive experience in cyber intelligence lifecycle services, program builds, targeted research and support, cyber counterintelligence services and analysis, deception planning, and cyber operations.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.