Paul Rose, Chief Information Security Officer, Six Degrees, asks the question ‘to pay or not to pay?’, and examines the ethical considerations and best practices that organisations should take when dealing with ransomware demands.
The recent ransomware attack on Norsk Hydro has highlighted the risks today's organisations face from cybercriminals, with the firm losing a reported $52 million so far.
The financial damage Norsk Hydro has suffered could be greater as a result of its decision not to pay a ransom to the cybercriminals who launched the attack, which raises an interesting question: should your organisation pay cybercriminals that target you with a successful ransomware attack?
Here are some ethical considerations and best practices that organisations should take when dealing with ransomware attacks.
Also of interest: Podcast - Cyber extortion: to pay or not to pay?
To pay or not to pay?
A successful ransomware attack on your organisation can be a stressful, intimidating experience. The loss of mission critical files and the potential for financial loss, operational chaos and reputational damage causes many impacted organisations to consider paying the ransom. The reason? They’d rather pay the fine and get back up and running quickly than try to tough it out and restore encrypted files without a decryption key.
If your organisation has considered paying a ransomware demand, you’re not alone. Many do, and there’s even an industry developing around brokering deals between cybercriminals and affected organisations.
So, if your organisation is ever infected with ransomware, should you pay the ransom? In a word, no. There are both best practice and ethical reasons for this. A 2018 report by CyberEdge Group stated that of the affected organisations that have paid cybercriminals, only 19% actually got access to their files. That’s a pretty poor rate of return.
The ethical reasons for refusing to pay ransomware demands are also compelling. Cybercriminals who launch ransomware attacks are often involved in other criminal enterprises, from illegal drugs to human trafficking. There is a very real chance that the ransom money you pay will be funding serious criminal activity that you would be appalled at indirectly contributing towards. And given that paying ransomware demands will only encourage cybercriminals to launch more attacks, what may seem like taking the easy way out actually makes the problem worse.
No organisation should have to pay ransomware demands. However, in order to take this approach with confidence, best practices are needed to minimise exposure and ensure that a robust strategy is in place should the worst happen. This is where cyber security playbooks come in.
Also of interest: How are cyber criminals collaborating?
Your cyber security playbook
Most organisations plan for fires, floods and other incidents that impact organisational resilience. Cyber security incident management – including the management of ransomware attacks – should be no different. Ransomware attacks present a unique set of challenges; they can be high-speed, unstructured and diverse, and crisis management can be intense and demanding.
An incident response plan is therefore necessary to rapidly detect incidents, minimise loss and destruction, mitigate exploitable weaknesses and restore services. Every attack is different and so is every organisation, so it’s important to establish incident response plans that are tailored to your organisation’s needs.
This is achieved through cyber security playbooks. A cyber security playbook is an incident response process tailored to a specific incident scenario that allows an organisation to hone how it deals with the incident, and provides all members of an organisation with a clear understanding of their roles and responsibilities before, during and after a security incident.
There is no ‘one size fits all’ approach to cyber security playbooks; a strategy and approach that is right for one organisation may be completely different for another, and data that is considered important will also differ between organisations.
An incident response process is not a singular action, and building a cyber security playbook can be a complex undertaking, requiring substantial planning and resources. Fortunately, there are best practice guidelines available that will help you get started.
Also of interest: Who is going to be driving 6G?
Components of a cyber security playbook
National Institute of Standards and Technology, a non-regulatory agency of the United States Department of Commerce, has produced NIST SP 800-61 – Computer Security Incident Handling Guide. This guide helps organisations build cyber security playbooks that ensure incidents are handled in an efficient and effective manner, using a common framework.
Cyber security playbooks take a four-phase approach:
- Preparation: Preventing incidents by ensuring that systems, networks and applications are sufficiently secure.
- Detection and Analysis: Establishing whether the incident is real, analysing its nature, spotting irregular activity and understanding exactly what is happening.
- Containment, Eradication and Recovery: Combating the threat and taking action to prevent further damage.
- Post-Incident Activity – Lessons Learned: What happened, what went well, what is needed for future incidents, and what evidence should be collected for prosecution, retention and so on.
Developing a cyber security playbook with the support of a trusted security partner is the most effective way to deal with ransomware attacks without paying ransoms to cybercriminals. By investing the time in creating and maintaining cyber security playbooks, you will significantly reduce the risk of your organisation suffering significant financial, operational and reputational damage.
About the Author
Paul Rose is Chief Information Security Officer at Six Degrees, a leading cloud-led managed service provider that works as a collaborative technology partner to organisations making a digital transition.
Six Degrees works collaboratively and builds long-term partnerships through exceptional services that match its clients’ needs. It continually innovates the right solutions to enable clients’ brilliance.