Consumers overwhelmingly believe businesses should stand up to hackers and refuse to pay ransoms, according to the latest ransomware study by Veritas Technologies.
However, in the event that the consumer’s own personal data is compromised in an attack, they appear to have a change of heart wanting businesses to surrender to those criminals an average of $1,167 per user.
With recent high-profile hacks reportedly breaching hundreds of thousands of users’ records, the expectation from users would be for the supplier to pay hundreds of millions of dollars in the hope that their data is returned. This is on top of the cost to businesses of downtime, brand reputation and customer trust.
The study also found that 71 percent of the 12,000 survey respondents, when asked generally, think that businesses should stand up to hackers who demand money and refuse to pay ransoms. Yet, when asked how much they wanted their suppliers to pay a ransomware attacker in the event that their own data was compromised, the average respondent specified the following amounts for different data types:
| Personal finances | $1,687 |
| Child’s data | $1,587 |
| Government records | $1,491 |
| Medical records | $1,344 |
| Personal cloud data | $1,336 |
| User credentials | $1,128 |
| Webmail | $1,062 |
| Customer records | $959 |
| Social media | $886 |
| Basic personal data | $886 |
| Dating profile / messages | $873 |
| Playlists / video streaming information | $761 |
| Average | $1,167 |
Almost two-thirds (65 percent) thought they should be personally compensated if the company still can’t retrieve the information that’s been stolen.
Simon Jelley, VP product management, Veritas Technologies, said, “While it may initially seem like businesses can’t win regardless of whether they pay or not, they are actually getting a clear message from consumers: people want their providers to escape the dilemma of whether to pay, or not to pay, by avoiding the situation in the first place.
“Our research shows that, if businesses want to please their customers, they need to prepare for an attack and be ready to recover from it – so, if the worst happens, they have tried-and-tested recovery procedures in place and there’s no need to pay out.”
Among respondents, 79 percent said organisations should have protection software in place and 62 percent said businesses should have backup copies of their data.
“In the past, ransomware was something that only affected a few unlucky people who were forced to pay a couple of hundred dollars to regain access to their locked-out laptops. Nowadays, it’s a multibillion-dollar-a-year industry, as cyber criminals increasingly target vulnerable organisations,” said Jelley.
“The costs don’t stop with the ransom payout; our survey also showed that people want to see fines and compensation too. On top of this, there is the huge cost of getting a business back on track with downtime, loss of production, and challenges to deliver or bill for products. As a result, global ransomware damage costs are estimated to exceed $11.5 billion annually this year (Official Annual Cyber Crime Report 2017), and this does not take into account the cost of reputational damage to a company’s brand.”
Businesses that have adopted these technologies are generally considered better able to respond to ransomware attacks since they can normally either prevent an attack, or safely restore their data without needing to pay the attackers’ demands.
The study also highlighted that consumers believe that CEOs need to reprimanded should a breach take place. In findings that some CEOs might find alarming, 40 percent of consumers held the leader of the organisation personally responsible for the attacks. Nearly a quarter (23 percent) said the CEO should face a prison sentence.
One-third (35 percent) said the CEO should pay a fine. Over a quarter (27 percent) said the CEO should resign, and 25 percent said the CEO should take a pay cut or be demoted.
“We agree with the public when it comes to not paying the ransom. Paying a ransom can often propagate the problem and provide attackers with more resources to continue developing more frequent and more advanced attacks,” said Jelley. “Plus, attackers will typically leave vulnerabilities in the devices of those businesses that have paid up, enabling them to come back again for recurring revenues. And, whether companies choose to pay the extortion or not, the real cost of ransomware is downtime, lost productivity and reputational damage. We believe it’s far better then, to have tried-and-tested data protection solution in place before the hackers come with their demands.”
