Mike Tyson used to say, "Everyone has a plan until they get punched in the face." It's much the same with ransomware attacks: No matter how much you insist that of course you'd never pay a ransom, your plans go out the window the first time you see all your organization's computers showing that "You've been hacked" screen.
The truth is that organizations are increasingly paying ransoms to recover their data. In fact, 70% of businesses hit by ransomware attacks wind up forking over thousands of dollars to their attackers. Even local governments have paid ransoms to regain access to vital services. No matter how much we tell one another that we'd do things differently, the reality is that when your data disappears and you start losing clients or missing deadlines, you'll pay virtually any price to put things right.
Rather than virtue-signaling with a blanket "We never pay" statement, organizations need to be realistic about the specific circumstances in which they'd pay a ransom. If you're a hospital and people will die if you don't get your computers back online STAT — yes, it's better to pay up. If you're in a less critical field, and it's just a question of waiting around while your backups come online, maybe you can ride it out without paying.
But either way, it's important to be honest — with yourself, your C-suite, your directors, and other stakeholders — about how you'd respond to a successful ransomware attack. When you're clear and pragmatic about the circumstances in which you'd pay a ransom, you can make more meaningful plans. That starts with including the cost of ransom payments — and for the fines you'll have to pay if you give cash to cybercriminals — in your IT budget. Your CEO might not enjoy budgeting for Bitcoin transfers to hackers, but it's better to plan ahead than to be blindsided by unanticipated costs.
A clear-eyed approach to the ransomware threat also makes it easier to handle the PR fallout from an attack. That's partly because you can plan ahead, and figure out how to create a crisis communications strategy that's aligned with the reality of the situation you find yourself in. Just as importantly, though, it's far easier to explain your ransom payments to customers and shareholders if you've been upfront about the risks you face, and haven't previously claimed that you'd never, ever pay to retrieve stolen data.
Perhaps the most important reason to be honest about your ransomware response strategy, though, is that it gives you full visibility into the true cost of ransomware attacks, which in turn allows you to make more realistic cybersecurity ROI calculations. When you know how much a ransomware attack will cost you — including the ransom, the fines, and the potential damage to your brand — then you can make smarter and more informed decisions about how much you should be investing in cybersecurity designed to keep your data safe.
It's always better, after all, to make sensible investments in security upfront and avoid getting hacked in the first place. But unless you're correctly assessing the potential impact of an attack — including the inevitable cost of paying a ransom to recover your data — it's impossible to figure out how much you should really be paying to try to keep yourself safe. Without that kind of clarity, it's also impossible to weigh the value of each year in which you successfully fend off ransomware attacks on your organization — a key step toward justifying your investments in cybersecurity to shareholders, board members, or the rest of the C-suite.
Accepting that there are circumstances in which you'd pay the ransom also makes it easier to differentiate your data and adopt a defensive posture that's tailored to the actual value of the data you're trying to protect. If there's some data you would pay a ransom to recover, and other data that you could easily do without or reconstruct, then it doesn't make sense to use the same defensive systems to protect both datasets. Instead, invest to protect your most valuable data and ensure that it's securely fenced off from your less valuable and less robust broader data ecosystem.
That's really the key insight I'm trying to communicate: not that you should always pay ransoms, nor that reflexively paying the ransom should be your default response if the worst happens, but rather that you should be clear-eyed about what your data is really worth to you.
Pretending that you'd never pay a ransom is pointless posturing. Instead, aim to be realistic and upfront with your stakeholders and to implement security solutions (and, yes, post-ransomware payment strategies) that are proportional to the value of the data you're trying to protect. It's by thinking clearly about the costs involved that you'll ultimately be best able to take the necessary steps to keep your data safe.