To Pay Or Not To Pay

One of our founders has been keeping track of who gets hacked in his on-going series "The Litany Of the Hacked." As he intended, this series has made me think more about who gets hacked and why.

So I was horrified recently to hear a fellow cybersecurity professional describe his planned response to a theoretical ransomware attack as "ask the Board whether or not they want to pay it." He viewed this as a moral question for management, not a technical question to be addressed by his own Incident Response Plan.

To my on-going horror, it is true that paying your way out of a ransomware attack is probably legal, depending on where you operate and some other circumstances. To quote the FBI themselves:

The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity. 

Legal, yes, but it is clearly not something to be proud of, which is why so many companies fail to report it.

I know that system administration is boring. I see that data integrity does not grab much attention. I have come to accept that backup & restore do not get the respect that they deserve. I have complained before about the short shrift given to system administration by cybersecurity, notably in this post.

But still: to not even consider the possibility that your backup & restore procedures will save the day? This is a bit shocking. If you do not trust your backup & restore procedures, then ransomware is not the only risk you are failing to mitigate; at least with ransomware, giving in will likely get your data back.

But what about the other, much more common, causes of loss of access to data? What about hardware failure? What about human error? What about natural disaster--flood, lightning or fire? What about bad luck (people knocking down utility poles with their cars and the like)?

In any of these cases, there is no criminal organization to pay off. There is no way to restore access to your data without restoring that data. Which means that you have to have backed up your data. Ideally having done that backup recently enough to avoid massive losses of productivity.

In other words, you need a data management policy, implemented by backup procedures and validated by restoration. These things should be part of your system administration and included in your Cybersecurity Program. Because cybersecurity is about business continuity and business continuity requires planning, execution and confirmation.

Why do people get excited about loss of data access caused by criminals but ignore the far more likely loss of data access caused by wind, rain, error, bugs or hardware failure? I cannot say. But what I can say is that from the trenches, from the server room, these situations indistinguishable. Unless your Board decides that would rather put their money into supporting crime rather than into system administration. In which case someone pays the ransom, the access is restored and things are back to normal--but now "normal" includes the knowledge that this will happen again. After all, you are now a paying customer as well as being a victim.

You need data protection anyway. You are almost certainly already paying for backup & restore functions to protect your data. Why not invest the time and effort to have data protection that you trust enough to handle a ransomware attack? That way you avoid having to pray that you are attacked rather than visited by any of the more likely events. Control your own fate as much as possible. Manage the risks and sleep better at night.

Paying any given ransom might be an unavoidable but rational business decision. Planning on paying any and all ransoms seems like a lamentable lack of belief in core computer systems and procedures.