Expert Q&A: Why Do Businesses Still Pay Ransomware?

If ransoms didn't get paid, ransomware would likely cease to exist.

Yet research suggests that plenty of businesses are still willing to pay up after a ransomware attack, perpetuating ransomware as the most common attack type.

We sat down with Raghu Nandakumara, Illumio's Senior Director of Industry Solutions Marketing, to discuss the factors that lead organizations to pay ransoms despite its reputational, financial, and security risks.

With what seems to be endless amounts of information on data security policies and plenty of security service providers, why do businesses continue to find themselves victims of ransomware?

Attacks like ransomware are more pervasive than ever. Yet too many businesses are still reliant on traditional prevention and detection tools alone that were not built to contain and stop the spread of breaches.

Effectively, this means organizations are taking their chances on being able to recover from failure instead of being resilient against failure through their ability to contain the spread of a ransomware attack.

More often than not, recovery plans are inadequate or have not been properly tested which makes them unviable when a real incident does occur. As a result, organizations are left with no choice but to pay the ransom to restore operations and productivity levels as quickly as possible.

Ransomware actors are also aware that recovery plans are typically deficient. They intentionally target organizations and operators of essential services where this is the case, for greatest chance of reward.

What have you heard from business owners about why they aren't implementing security systems including ransomware protection?

The most common thing we hear is "I have detection and response - that is my protection" or "We have adequate disaster recovery plans in place, so we can confidently recover if we are attacked."

Yet neither detection and response nor recovery plans provide a 100 percent bulletproof solution for stopping the impact of ransomware.

Paying a ransom isn't just about the money. It's about suspension of business, loss of reputation if the attack becomes public knowledge, and more - how do you hammer this message home to those at risk?

I think the most important message is that every business is at risk. Ransomware is now the most common type of attack, so it's no longer a question of if an organization will suffer an attack but when.

Both business and security leaders need to adopt an "assume breach" mindset: Their focus should be on breach containment rather than prevention to ensure ransomware is isolated at the point of entry.

Also, we need to see greater education among IT teams on the evolution of ransomware. Cyber criminals are now using more sophisticated ways to evade cybersecurity protections, and this means that ransomware detection systems alone cannot stop all attacks.

Detection-only techniques are no longer enough to safeguard organizations. Putting in place protection methods upfront is the only way to guard against the new breed of attacks.

For organizations that fall under the umbrella of critical national infrastructure (CNI), the message needs to focus on ramifications beyond just the bottom line. The functions these operators provide are essential to society and can pose potential risk to health, safety, and the economy if disrupted. Operators of CNI have a responsibility to maintain these services.

Recovery is not enough - they need to be resilient.

What would encourage organizations to do to strengthen their security posture so ransomware is no longer a threat?

Reducing the ransomware threat will require a combination of technology and legislation.

Organizations need to put in place the right security architecture to eliminate the spread of breaches, including the deployment of Zero Trust tools, including Zero Trust Segmentation (ZTS) and endpoint detection and response (EDR).

At the same time, paying ransomware breeds more attacks. Ultimately, the more lucrative an attack, the more cyber criminals will do it, so the only way to completely eradicate ransomware is to stop payments being made.

However, this will require new legislation to make paying ransomware illegal. We're already seeing increasing government directives obligating organizations to report on ransomware in the U.S., and it's likely the UK will follow suit.

Organizations should also use the five pillars of the NIST Cybersecurity Framework to help build resilience against ransomware. All are essential for defense against ransomware and require investment.

What single piece of advice would you give to a CFO, CIO, and CEO regarding ransomware?

For CFOs: The longer it takes to identify, mitigate, and resolve an attack, the higher the cost. Make sure your organization is continually investing in capabilities to enhance cyber resilience and prioritize investments that have a quantifiable ROI, such as Zero Trust Segmentation.

For CIOs: Always assume breach. If you can build resilience and stop the spread of ransomware within your network, it becomes much easier to control and remediate an attack. However, strengthening cyber resilience is a team sport. It requires collaboration across multiple functions of the organization to develop a plan that improves security while enabling transformation. Stakeholders need to be engaged early, kept informed throughout, and bought into the plan.

For CEOs: Cyber resilience must be a board-level issue. Get it right, and you can ensure productivity, protect the brand and reputation, build trust, and strengthen compliance. Remember, not all ransomware attacks have to end in major business failure. By containing the attack at the point of entry, you can stop ransomware before it starts, protecting critical systems and data, and saving millions in annual downtime costs.

Learn how Illumio Zero Trust Segmentation can help your organizations contain ransomware and never pay a ransom. Contact us today for a consultation and demo.