Should Organisations Have a Ransomware Payment Policy?
In Episode 204 of Defensive Security Podcast, reference to an article published by Bleeping Computer was made that caught my attention.
“59% of employees hit by ransomware at work paid ransom out of their own pocket” (Jerry Bell, Defensive Security Podcast, 2017). Bell was quoting the headline of the article published by Bleeping Computer on 2nd November 2017.
This article reported on a survey performed by Intermedia; a cloud services business that surveyed over 1000 office workers. “Of the office workers that had fallen victim to a ransomware attack at work, 59% of them said they paid the ransom personally. 37% said their employer paid.” (Intermedia.net, 2017)
It isn’t clear as to whether this survey was conducted scientifically. Nor does the report state the total number of workers that had fallen victim to a ransomware attack, so the statistics can be met with scepticism. However, I was surprised to see that any employee would pay a ransom for their employer’s data.
Taylor Wessing, a UK law firm outlined the most common arguments against making ransom payments.
“There are various commercial and sensible arguments against making ransom payments and, to cite a few here: (i) making payments would likely encourage further attacks; (ii) the attackers gain knowledge that the particular business is in fact willing to pay ransoms; (iii) the ransom payments ultimately fund criminal activity; and (iv) making a ransom payment does not guarantee the outcome which the business is hoping to achieve.” (Taylor Wessing, 2017)
Should all businesses have a ‘Ransom Payment Policy’? Should this prohibit employees paying ransom? What can be done to prevent employees from paying ransom? Finally, should law intervene in attempt to stamp out ransomware attacks?
In my opinion, businesses should have a ‘Ransom Payment Policy’ that prohibits the payment of ransom from the organisation as an entity and also its employees. I feel that the arguments against paying ransom outweigh the arguments for providing payment in desperation. Especially considering that the aforementioned survey reported that “19% of the time the data isn’t released, even after the ransom is paid” (Intermedia, 2017). I also believe that implementing such a policy reinforces the requirement for robust business continuity plans, which should already be catering for such disasters.
As a by-product to prohibiting ransom payments, employees are protected from liability, and not encouraged to undermine any efforts from the specialists that protect the organisation’s Information Technology.