Unprepared Aussie businesses compromising values, trust by paying ransomware crims

Corporate ethics, not desperation, should drive decision whether to pay extortionists

A culture of quickly paying ransomware extortionists has not only made Australian businesses high-profile targets for further attacks but risks destroying corporate reputations through the direct funding of organised crime, security experts have warned as ransomware volumes continue to pummel unprepared businesses. Many companies are well aware that they remain unprepared to deal with security compromises, with one recent survey finding that 40 percent of Australian IT decision-makers felt unprepared to deal with malicious attacks even though 55 percent had experienced an email hack or breach – well ahead of the levels in other countries.

That lack of preparedness typically surfaces in problematic ways as often-small businesses find themselves locked out of their files with current backups, or no clear way of restoring from whatever backups they do have. Yet instead of improving their proactive defences, many are paying ransoms straight away – increasingly considering them a cost of doing business.

And while it may seem like a straightforward cost-benefit business decision, this approach is raising all kinds of new questions. “One of the reasons Australia has become the #1 target worldwide is that the Australian market is paying for every single attack,” says Guy Eilon, ANZ general manager and senior manager with security firm Forcepoint.

“If you were an attacker and were attacking someone who was paying you to release his environment, you would keep attacking him again and again.” A recent analysis by Australian research firm IBRS noted that while paying ransoms is the quickest and easiest way to recover files – and that ransomware extortionists are generally keeping their word to unlock files after payment – companies may find that the payment of such people goes directly against the established corporate brand ethos.

“”The decision to pay, or not, should not be based on the equation of 'which is cheaper, the ransom or the cost of security?',” analyst James Turner wrote. “Management's decision should be driven by the question, “are we prepared to hand money to organised crime?'” “When executives consider that their choice to pay a ransom may directly help fund the illegal drugs trade and sex trafficking, the only morally defensible option is to not pay, and prepare accordingly. For organisations that are keen to maintain a brand of trustworthiness and corporate social responsibility, it should be a simple decision to make.”

The importance of trust and ethical conduct has been underscored by recent arguments that businesses need to view security as a way of building and maintaining trust with their customers; compromising this trust can lead to significant consequences and the imperative is therefore to do whatever is necessary to maintain it.

Trust may seem like a distant concept for a small business that has been locked out of their essential systems, however, and taking the moral high ground can be a difficult if not impossible choice. This is why Turner advises that it is “vital” to plan for the handling of “foreseeable” ransomware attacks well before they happen – so that ethical decisions are not made incorrectly in the heat of the moment when files have already been locked by errant ransomware.

“The time to be having a discussion about whether an organisation is prepared to pay ransom, or not, is not in the middle of a successful attack,” Turner writes. Devices with little or no valuable information can be wiped with little to no impact, he says, while more-important data can be protected using a business impact assessment backed by appropriate technical controls to prevent, or minimise the impact of, an attack.

Such decisions must be made at the highest levels of the organisation – ideally at board level, Turner says: “It is only with the clarity of this executive decision... that an organisation will have the will to commit to maintenance of technical hygiene and implementation of appropriate controls. It is imperative that business leaders understand why they are committing to this.”

Join the CSO newsletter!

Error: Please check your email address.

Tags ForcepointANZIBRSIT decision-makersIT SecurityIT managementransomwarecyber security

More about ForcepointIBRS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts