Unfortunately, many businesses have not properly invested in the cybersecurity best practices that are required to effectively defend against a cyberattack. For many businesses, their defense of choice has been either to:
- Bury their heads in the sand and hope the cybercriminal stays away.
- Get cyber insurance and just pass the risk onto the insurer.
- Negotiate with a criminal, pay the ransom, and hope that the criminal can be trusted to do what they promise.
These are all very poor strategies! We all know that burying your head in the sand is silly – so nothing more needs to be said about this approach.
The cyber insurance approach might seem reasonable, but insurance underwriters are smart. That’s why in a recent blog post we discussed the tightening of cyber insurance guidelines and how insurers are no longer accepting the cyber insurance risk they were once willing to accept.
Insurers are increasingly demanding that those they insure have cybersecurity best practices in place. Having cybersecurity best practices in place mitigates the risk of a successful attack and the risk of an insurance payout is drastically reduced. In essence, insurers are bouncing the responsibility of implementing an effective cyber defense right back to the business owner.
Regarding simply paying the ransom, we recently wrote about some disturbing stats that show that most businesses that pay ransom don’t get their data back and they are typically branded as “suckers” and robbed again – often by those that attacked them the first time. But if that’s not enough to sway you away from this approach, consider that shortly it may be against the law to pay ransom to a ransomware attacker.
Currently, there is no federal or state law that prohibits the payment of ransom to a ransomware attacker. However, in 2020 the U.S. Treasury issued an advisory that organizations that facilitate a ransom payment could face civil penalties for doing so. These penalties would kick in if the ransom is paid to a ransomware attacker who is placed on the U.S. Treasury Department’s Specifically Designated Nationals and Blocked Persons List. This list contains the largest and most active players in the ransomware game. And, chances are HIGH, it will be someone on this list that will attack you.
At the federal level, there are a number of conversations happening in Congress to ban payments to cybercriminals in response to the FBI’s current advice. According to FBI Director Chris Wray “we discourage paying the ransom because it encourages more of these attacks, and frankly, there is no guarantee whatsoever that you are going to get your data back.” Director Wray also added “we’ve seen the total volume of the money paid triple over the last year or so.”
We know that things in Congress don’t happen fast so the chances of any type of federal legislation that bans the payment of ransom probably isn’t happening soon. However, state legislation is a different story. There are at least 4 states where there are pending bills that would make it illegal to pay the ransomware attacker. These states include New York, North Carolina, Pennsylvania, and Texas.
The best way to protect your business is to invest in the appropriate systems and expertise that help you to detect and stop malicious behavior before it becomes a problem. Keep in mind that on average, from the time a cyberattack is initiated until the time that it is contained is 280 days – that’s 9 months! If you can detect them EARLIER and stop the attack QUICKLY then you can avoid catastrophe. This is the only viable defense.