Does your organisation support a ban on ransomware payments? If not, in what circumstances does your organisation consider it would be acceptable to pay a ransom?
Good question. The CEO of a company we use (Rapid7) said this in respect to both OPTUS and MediBank breaches.
- OPTUS should not pay because the information that could be leaked although it would be problematic is not hurtful and can be recovered from. For example, your drivers license or password can be reissued.
- For Medibank because it is sensitive personal information once it is is leaked it cannot be recovered from. For example, if it is leaked that you had cancer, you cant undo that information from being publicly available and everyone would know. For this reason for the protection of privacy and hurt, Mediabank should pay.
My comments are that by paying you are perpetuating a criminal industry. Companies should not make the decsion based on their reputational risk, it should be about the affected individuals.
Similar thinking. From a risk management perspective, I think anything you can do to prevent loss of life you would potentially use any method necessary. So in the event a hospital/emergency department was the subject of ransomware I wouldn’t have an issue paying. But as a principle for most businesses, I do believe in not doing ‘business’ with criminals.
But food for thought as the Government considers legislating against companies paying ransoms.
I think Minister for Cybersecurity covered this quite well on the recent 4 Corners interview.
Under no circumstances should you pay a ransom. Why? If you pay, you are fueling a criminal empire. Secondly, if you do pay - what guarantee do you have that your data won’t be leaked?
The decision of whether to pay a ransom or not is reminiscent of the Prisoner’s Dilemma, a classic game theory scenario that was originally developed at the RAND Corporation in the 50’s. You may know of RAND from their pioneering work in early computing.
It’s a Faustian bargain and comes down to the question of acting alone or in cooperation with other ransomware victims.
If a company acts alone, they pay the ransom and suffer no consequences (from the criminals) for this specific ransom. If viewed as an isolated incident, this is the “best” choice for the company’s interests as it can ensure business continuity. However this may result in negative public relations.
If the company acts as part of a group and elects to not pay the ransom, then the company suffers a negative outcome, for example losing their data, exposing PII (Personally Identifiable Information), losing customers, and closing down. This is not in the best interests of the victim, but is in the best interests of a group of companies. In the case of a hospital, an ethical argument could be made to pay the ransom to save lives.
The best choice is for each individual company to pay no ransoms at all until the criminals move on to a new target set that can be squeezed for money. If the companies cooperate as a group to reject ransom demands then they will be stronger as a group. This requires victims to act outside their “rational” self-interests and cannot be successful without coercion of the set members to ensure they stick to the strategy.
An example of a cooperating group is the set of all Australian organizations including companies, non-profits, etc. If this group is coerced by law to reject ransom demands, then each individual company in the set is in a stronger position.
It’s easy to decide at a national policy level but much murkier at a board level. You may summarize this as what’s good for the goose is not always good for the gander.
If ransomware payments are banned in Australia, then cyber criminals might test the waters a couple of times, but will soon move on to softer targets (i.e. other countries). Or they might change their business model entirely and find a new way to get to Aussie companies. Either way, if they’re not getting paid they will leave us alone (or pivot to some new, as yet unknown, method). Much like AndrewH said above.
I know it sounds harsh for those first few companies where the ransomware gangs test our resolve, but it would be better for Australia in the longer term.
My answer is no, but a couple of related points.
Have the conversation with your senior leaders now so that everyone is clear and agrees, before you are forced to decide outside your control. Consult insurers and lawyers. For example, does property damage policy include or exclude cyber-physical impact and limit your choice? Does any underwriter inform or override a leadership decision? What if lives are at risk?
“Everyone has a plan until they get punched in the face” applies as well. An organisation facing months offline or bankruptcy might be forced to reconsider a past choice. Ensure the board, CEO or other senior leaders are clear on why a non-payment policy might change and who has the call on that. Don’t document this approach, though. Once the attacker finds a documented decision framework, they know the path of least resistance.
I have been asked this question multiple times at various Boards and C-suites. Most of them were inclined to have a documented policy around payment. Ideally, I would have said no to ransomware or data breach payments to cyber criminal and promoting crime-as-a-service. However, I have always recommened for a ransomware and data breach payment decision framework (basically a decision tree). This gives the flexibility to make a decision based on your circumstances related to the incident i.e., considering the risk and impact. Albiet, there is no guarantee for data that once breached can be recovered or will not be up for sale.
As we evolve and maturity in cyber security, there is an opportunity to increase regulatory fines and halt ransomware payments. This would mean organisations take cyber seriously and walk the talk ie., invest proactively to uplift cyber posture rather than an afterthought.
Note: As stated by one of our peers above, don’t save these documents on the network i.e., decision framework/policy or cyber insurance.