Advice For Investors: When Did They Stop Having A Ransomware Problem?

Ted Hayes writes:

People are easy to manipulate. Maybe not everyone at any time, but both human history and behavioral research show that eventually we can be swayed. As our post on the CSF puts it, potayto potahto -- I'll call it manipulation and you can call it training or education or development. Our ultimate goal is to have you do something different or differently than you did before. It's good that we can be manipulated when we're talking about public health or driving safely or treating each other with dignity and respect, or when we're trying to train people to crochet or have them learn how to be neurosurgeons. 

There's a downside to manipulation. Call it training debt: people don't behave as predictably, to do a specific function, as circuits and switches and processors do. This presents a big problem when an organization depends on people to use systems in a way that supports cybersecurity.

Cyber-thieves rely on being able to manipulate people to click on a link, go to a site, respond to a call or do something else that increases the chances that a cybersecurity incident will occur. (A thief might call it a pay day, not a cybersecurity incident.) Both authors of this post have recently received texts or email allegedly from a highway toll transponder company to "call us about your account." In both cases the thieves hoped that the recipient -- us -- would do something that a switch or circuit would not do on its own: give systems access to an entity that would not otherwise have access. Once previously off-limits access is gained, the thieves then deny the rightful owner systems access until a ransom is paid in whatever denomination was desired. This is a classic ransomware attack.

Behavioral cybersecurity emphasizes that leaders need to create a framework for connecting securely with people outside the organization. This can happen through annual training, rules, etc. It can happen through identifying best practices arising from coordination or collaboration or comparisons with other business units. All of this is basic cybersecurity, but they are not equally effective.

Manipulating people to learn new cybersecurity habits is not readily done in a one-hour annual training. Think of the annual training as "don't-training." The first problem with "don't-training" is that you're not telling people what to do other than to not do something. Getting people to use secure cybersecurity habits -- "do-training" -- takes days or weeks of intervention. What balance did the prospect use between "don't-training" and "do-training"? The second problem with don't-training is that it doesn't manage the risk, it creates a pretend world where the risk was trained out. That's not reality-based thinking.

Behavioral cybersecurity interventions, "do-training," are needed because cybertheft attacks work often enough to make them worthwhile. An investor might want to know how effective the prospect's previous cybersecurity interventions have been. How many ransomware attacks were launched at a prospect in the last fiscal quarter, and what happened? Ask more questions: How much time and money was spent on cybersecurity interventions last year? What was the focus -- what not to do, or how to work more securely? 

The world of cyber-threats keeps becoming more perilous. A recent report indicates that attacks and system threats from artficial intelligence (AI) are rising alarmingly quickly. It's beyond our scope in this post to discuss AI-based threats but one stat from this study that caught our attention and seems germane is that there is a rise in 'agentic AI attacks' -- that means an increase in 'phishing' attacks and data leakage.

Leaders who adopt a "don't-training" posture are hoping that their employees "figure it out." Investors should ask how well that has worked for that prospect. The likely answer is that the prospect is likely to have a risk management problem and that means they will continue to have a ransomware problem.

Brendan Hemingway responds:

Sitting in the back of the house, the IT infrastructure part of the organization, we applaud training and preventive measures, but we know we cannot trust training and preventive measures. We are living proof that, sooner or later, training and preventive measures fail. And while we really do appreciate the lower number of disasters that training and preventive measures can bring, we still need to be able to handle those disasters that happen anyway.

Ransomware attacks are a great example of why Pythia Cyber wants your Cyber Security program to be the partner that coordinates your IT people in the Recover phase of an incident, and why we do not think that making Cyber Security part of IT is ideal.

According to The HIPAA Journal, the percentage of organizations opting to pay the ransom is going down and was 29% in 2024. That is good news, but that is still a rather large number of ransoms paid. Let's frame this discussion with a simple question: why do so many organizations opt to pay the ransom when, in theory, we all have backup and restore programs?

To be fair, ransomware attacks are a weird way to have a data recovery problem. The most common reason for needing data recovery is human error: someone deleted something that should not have been deleted. But these deletions are usually on a small scale and recovery is pretty easy. Next comes software bugs, which are pretty rare in the data corruption game because there is enormous pressure to avoid shipping software with these bugs. Until ransomware hit the scene, the most severe data recovery scenario was catastrophic hardware failure (rather rare), in which case there is the added complication of replacing the hardware before you can recover the data.

In IT Operations or System Administration we labor under the same basic equation that everyone else does: Time x Money = Constant. Generally, our options break down into spending more money but less time, or spending less money and more time. As we will see, this equation dominates data recovery in planning and execution.

What is weird about recovering from a ransomware attack is that the hardware is fine and the data is all there, but someone has encrypted the data so you cannot get at the data without a key and that key costs money (the ransom). This makes the Time/Money calculation concrete in a way that such decisions rarely are: pay more money (the ransom) to get the data back faster and more completely (decrypting).

If you are an IT executive, without a Cyber Security focus, you are most concerned about that human error scenario, because you want that recovery to be quick and easy, so you pay money for daily backups which are easy to access. You also need to cover yourself in the event of disaster, so you try to make sure that your daily backup strategy, which geared toward rapidly restoring small amounts of specific data, will do in a pinch to restore vast amounts of general data. After all, if a complete restore only happens in a disaster (flood, fire, lightning strike) no one is going to be annoyed if it takes hours and loses all the data for one day after the daily backup.

In a ransomware attack, there is no physical disaster to make taking hours or days seem reasonable. And the alternative to your usual data recovery strategy is possibly minutes (buying cryptocurrency, sending cryptocurrency, receiving the key, running the decryption).

What if you specifically designed your data recovery strategy to be quick, as an alternative to paying the ransom? Then you would likely pay more money in order to make that recovery take less time. Worse, having a data backup which is up-to-minute generally requires actively mirroring your data on a backup system, which has the problem that human errors are almost certainly going to be faithfully mirrored as well. So your most common problem gets worse, unless you have a hybrid backup strategy which is more money.

A Time vs Money question that affects the entire organization is not really an IT issue: it is a Risk Management issue. This is why we don't recommend putting Cyber Security into IT. IT executes whatever is decided, of course, but it does not make sense to make them do the deciding as well.

And if you are an investor, assessing an acquisition target, this is a two-for-one: ask about data recovery. The value judgement they have made, both in terms of Time vs Money and which scenarios they address will tell you much about how they make decisions--and what scars they may bear from the past. Because it is a sad fact of human nature that we tend to react rather than predict; in other words, every terrific ransomware recovery program I have ever encountered was the result of having been attacked, not the result of far-sighted planning.

Want to watch a video on this topic? Check out this one on our YouTube channel.