Our organization is developing a short policy statement to deal with future ransomware outbreaks. However, a key point we disagree on internally is that some people believe it’s okay to pay a ransom for data depending on the cost/value equation, while others think paying the ransom is like negotiating with a terrorist and should just never be done. What approach should we take?

Ransomware is surreptitious software that overtly takes control of a computer’s hard drive and encrypts it. It holds the information hostage until a ransom is paid for release of the decryption key. Payment of the ransom is often made in bitcoin, which is anonymous and untraceable. The ransom can be — and typically is — paid if the information or computer taken hostage is critical to the operation of a business or victim. The underlying question is how this could have happened and what recourse is available. On June 5, 2014, Cisco foretold of a rash of ransomware attacks and this is starting to come to pass.

Companies falling victim to ransomware and that wind up paying the ransom, tend to either have poor backups or insufficient controls; or, if both systems are working effectively but still succumb to more sophisticated attacks, there are greater concerns regarding reputational or financial risks if the incident goes public.

Should a company pay ransom for information or computers taken hostage? Ethically speaking, the answer is no. But in a practical sense, given the criticality of the asset, it might have to. If not paying to remove ransomware has an adverse effect on a business’ viability, then there are few choices. If the organization can accept a loss in business, then the ransom should not be paid and attention should be focused on preventing reoccurrence.

There are several steps organizations can take to prepare for a ransomware attack, including backing up critical data daily, running incrementals to make the backup process less cumbersome and time consuming, ensuring strong network security, verifying and periodically testing malware detection and application controls and also deploying comprehensive monitoring processes to detect unauthorized access attempts and unknown or unexpected changes in environments. The key is to have sufficient controls and recovery processes in place to render a hostage situation merely an inconvenience and not a critical business threat.

Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)