Almost half (45%) of cyber security professionals believe that calling in law enforcement following a ransomware attack slows down the recovery process and distracts the victim’s IT and security reams from getting things up and running again as quickly as possible – and this may be a big factor in why so many ransomware incidents go unreported.
This is according to a new study on ransomware response conducted by Talion, a BAE Systems spin-out that wants to redefine the relationship between businesses and security services providers, in support of the recently launched #Ransomaware campaign, of which it is a founding member.
Talion commissioned One Poll to study the attitudes of 200 IT security professionals, and found that ransomware victims also fail to report attacks either because they do not know how to, or because they have chosen to pay the ransom and do not want to get into trouble for doing so – even though doing so is not itself always unlawful.
“Our study highlights that many organisations are concerned about reporting ransomware attacks to law enforcement out of fear that it could have further negative repercussions,” said Talion CEO Mike Brown.
“All victims want to get back to business-as-usual as quickly as possible, however it can be a complicated landscape to navigate. Should you pay the ransom? If so, is it lawful? Organisations should be mindful that it is unlawful to make a payment to a terrorist organisations or prescribed groups in breach of international sanctions.
“What is required is a clear legal framework that allows organisations to make the best, lawful, decisions when they are in this high-stress situation. Law enforcement needs to find a way to work with commercial organisations so that they are viewed as a source of expertise and support, not a further obstacle to overcome.”
Talion also found that 70% of security pros believe that allowing specialist providers of cyber incident insurance to pay out to ransomware victims is exacerbating the problem and fuelling more attacks – which tracks closely with previous data on this issue.
Cyber insurance has become a topic of intense debate as it relates to the ransomware crisis, with many in the security community taking the position that insurance pay-outs should be banned outright.
Brown said: “In terms of insurance pay-outs, it is not surprising so many security professionals see them as fuelling the ransomware industry, as they certainly cushion the blow of attacks. However, pay-outs are not guaranteed and insurers are getting stricter every day.
“The best option is therefore to prepare for attacks and rehearse your strategy so that when your organisation gets hit in real life, loses are kept to a minimum.”
The #Ransomaware coalition – which besides Talion comprises the Research Institute for Sociotechnical Cyber Security, BAE Systems, 36 Commercial, Insight Enterprises, KnowBe4, the UK Cyber Security Association, Comparitech, Siemplify, Eskenzi PR, IT Security Guru, Outpost 24, Cydea, Devo Technology, Mishcon de Reya and Decipher Cyber – aims to promote collaboration and open information and intelligence-sharing around ransomware, in the hope that prompting an honest and candid dialogue on the subject will help increase awareness and preparedness, and mount a more effective defence.
Writing in Computer Weekly, Martin Smith, chairman and founder of the Security Awareness Special Interest Group, said the debate on ransomware response was more nuanced than many in the community cared to admit. He called for more open dialogue and said there was a clear inclination in some instances to engage in overt victim-blaming, which is rarely appropriate.
“Most of the time, businesses are doing the best they can to monitor and protect themselves from the fast-evolving threat,” said Smith.
“There are things we can all be doing to combat the ransomware surge: knowledge-sharing, for example, is fundamental to building proactive, preventive strategies. Collaborative discussions between industry professionals and open channels with security services monitoring the threat can also be a useful way for all businesses to stay engaged and prepared.”