Don't ask whether to pay a ransom — ask how attackers could get in

If executives are preemptively asking whether they would pay a ransom post-attack, they're already asking the wrong question.

"Companies are willing to fork out huge amounts of money to do amazing things post an incident," said Kerissa Varma, CISO of Old Mutual Limited, during a webcast hosted by Cybereason Thursday. But making changes before an incident is "a very difficult business case."

Planning before an attack — instead of just reacting to an incident — can help with mitigation. The pre-incident checklist is focused on prevention:

Endpoint detection and response (EDR)
Multifactor authentication
Backup reliability
Patching policies

Yet, only 30% of companies that have not experienced a ransomware attack, have EDR solutions, a Cybereason survey of more than 1,200 information security professionals conducted in April found. Around 50% of respondents don't have antivirus software, and about 40% lack data backup and recovery.

"I think we've got a coverage problem, to be quite honest; for asset inventories, poor documentation, it's easy to miss the device here or miss a device there that then becomes a target," Varma said. Before a company even considers whether or not they would pay a ransom, "it's too late, it's out the door."

It's tempting for business executives to say they would never pay a ransom, but it's not always up to them. Basic math, prohibitive sanctions or a moral high ground influence ransom payment decision making. The answer is almost never clear until a company is faced with unreliable backups and ransomware actors who have the upperhand.

Companies consider paying ransoms on a case-by-case basis. Still, of security professionals who paid a ransom, 46% only received access to data with some or all of it corrupted, Cybereason found. Half of respondents regained all their data without loss while 3% got nothing after paying.

"Paying the ransom does not speed up your recovery if your goal is to recover in a place where you're more safe and secure post-incident than where you were pre-incident," Frank Johnson, SVP of sales and marketing and chief customer officer for SecuLore Solutions, and the former CIO and chief digital officer for the City of Baltimore, said during the webcast.

Difficult decisions

Paying a ransom does not always mitigate damage from the attack or unlock encrypted systems. And 80% of cybersecurity professionals said their organization was attacked again after paying a ransom, the survey found.

Even if a company regains its data after paying a ransom, the company could still be operating in a system that is still compromised. Those systems have to be combed through before they can be reintroduced to a network.

"This all starts with having a really good backup and recovery plan," Johnson said. "Make sure that they're clean, check them regularly, because you'll never know when you need to pull them down and use them as a base in order to start to recover."

Johnson served as CIO of Baltimore when it was hit by the RobbinHood ransomware in May 2019. The attack resulted in slowed city functions and halted of water bill collection from the public water works department.The ransom demand was $76,000, which Baltimore refused to pay. Johnson was put on unpaid leave by July 2019, and ousted from his position by October.

Almost one-third of respondents said leadership was forced out — by resignation or termination — post-cyberattack, Cybereason found. However, companies often want someone who can steer the company out of an incident, and it speaks to the relationship between a CIO, CISO, C-suite and the board.

"As a CISO, it's not that you have a breach that ends your career, it's that you couldn't manage one that ends your career," Bryan Hurd, VP and chief of Office at Aon Cyber Solutions, and founder of the Cyber Counterintelligence program for the U.S. Navy, said during the webcast. "It's not that you had a fire, it's that you're not a good firefighter."

"This all starts and stops with leadership," Johnson said. "Leadership plays an important role in protecting their environment through their attitude with risk management, risk posture, site, investments in cybersecurity and protection should flow out of a well informed risk capability."

"If you have leadership's looking for somebody to blame, if there is an event in their environment and enterprise, [take a] particularly good, hard look in the mirror," he said.

Depending on an organization's cybersecurity culture, it will not matter if a tech executive effectively directs recovery efforts. Companies can usen scapegoat in an incidentand place blame on security leadership.

If the CISO had the right strategies but an underfunded organization, "that's a different discussion for the board than an incompetent security team, which is more on the board's liability role," said Hurd.

Almost three-quarters (73%) of respondents said their organizations have a specific plan or policy for ransomware, according to the Cybereason survey. But "there are policies and there are playbooks," Hurd said. Ransomware-specific policies are actually just "the same things you're doing to stop adversaries from stealing your intellectual property."

"These are not specific security improvements that only stop ransomware," Hurd said.