Blog post

NO! Organizations Should NOT Bake Ransomware Payments Into Their Business Models

By Paul Proctor | May 14, 2021 | 2 Comments

“Should we pay the ransom?”

Organizations should make simple investments now to avoid facing this question in an inevitable future. We are living a dystopian present where ransomware is a sustainable (and lucrative) business model putting every single organization that uses technology at risk.

Part of what sustains this model is that in many cases, it is a better business model for the cyberinsurance carriers to PAY the ransom, than to pay for the company to recover. This will lead to MORE ransomware.

If you strengthen your backup and test restores on all your critical business processes, the cost of recovery will ALWAYS be less than paying the ransom for an uncertain outcome.

Here’s the trick. You need to be acting NOW… before you get hit with ransomware. Security and risk people need to be working with executives right now to ensure that they are making the business decisions necessary to prepare them for ransomware. Treating ransomware as a business decision means you can CHOOSE not to invest, which is a legitimate business decision.

Whether you choose to invest of not, is not the point. The point is that it will create the necessary visibility to the problem across the business so that if you do get hit, there will be ZERO surprises. This will smooth all actions in the response including whether you should pay or not.

Ransomware is a clear and present danger globally. If your executives do not want to engage in these decisions, they have voted with their attention and their wallets. Lack of a decision, is a decision, and it should be treated as such.

Ransomware is a Business Decision. Treat It Like One.

The following guidance is based on breaking down your business/mission outcomes and processes into components supported by unique technology stacks that can be discretely protected. For example marketing, sales, finance, production, underwriting, etc. You can do this by business function, product line, manufacturing facilities, operating units, etc.

Business Decision #1) How do we prioritize the business outcomes and processes that should have a full restore test?

Metric that informs the decision: % of business outcomes and processes with a full restore test in the last year.

Everybody backs up. You know what almost nobody does? Tests restore. What idiot would take a perfectly functioning business system down to bare metal on a Friday and hope they can bring it back by Monday? Almost no one.

You know when the first time most organizations test restore? After they’ve been hit by ransomware. And that is the single biggest factor in whether it devastates the organization or takes a couple of hours to clean up.

Testing restore is expensive and risky. But that is also a business decision. The problem is that we do not treat it as a business decision. If our executives understood this connection, they would probably choose to invest in more restore tests to improve their readiness in advance of a ransomware attack. Or at least be a little more understanding when they turn down the investment and everything goes down after a ransomware attack.

I understand the prevalence of dangerous ransomware that kills your backups and there are scenarios where the data itself is used for extortion even if you can restore it, but there are controls you can put in place for these circumstances as well. And the distribution of those controls across your business outcomes is also measurable.

Business Decision #2) What are our desired click-through rates across different populations of employees supporting different business outcomes?

Metric that informs the decision: Average click through rates for employee groups supporting our key business outcomes.

Employee populations are not a monolith. Different employee populations will vary in their phishing scores and different job roles support business outcomes with varying value and sensitivity if they are compromised. Gartner research shows that pushing click-through rates below 7% for any user population can create business friction from employee satisfaction to job performance.

If you average phishing scores by job role you are likely to find out that it is the people in finance that keep clicking on the cat videos that lock up your systems. Now you can address phishing training in a prioritized business context.

Business Decision #3) How do we prioritize the business outcomes and processes that are able to function (business continuity) through a ransomware attack?

Metric that informs the decision: % of business outcomes and processes that are able to function through a ransomware attack.

Organizations typically look at business continuity as an enterprise prioritization exercise. If you are looking at ransomware from a business outcome perspective, you would judge individual outcomes and their ability to continue functioning if certain systems lock up. For example, can your finance department complete the quarterly close (a critical business outcome for the finance department) if they are hit by ransomware 4 days before the end of the quarter?

Your business decision is to invest in continuity for specific, prioritized outcomes.

My colleague Roberta Witty points out that many business processes today do not have manual/paper/alternate procedures defined. I would suggest that organizations should take the time to understand what will grind to halt if the computers go away and either invest in alternate procedures or make darn sure you run a restore test and invest in confidence that you will be able to bring it back.

Business Decision #4) How fast will we patch systems supporting our critical business outcomes and processes?

Metric that informs the decision: Average number of days to patch technology stacks supporting critical business outcomes and process.

Days to patch has a direct line of sight to levels of protection. If we patch faster, our systems are available for exploitation for less time. If we patch slower, our systems are available for exploitation for more time. Patching fast costs more because we need more people and more resources.

Patching is not a monolith. You do not patch every system at exactly the same time so some systems, supporting some business outcomes are more protected than others. Which means some business outcomes are more protected than others.

Prioritizing the speed and cost of patching systems by business outcome, makes this a business decision to choose priorities and investments to address ransomware in a business context.

Cybersecurity is a Choice and a Business Decision

Most organizations treat cybersecurity like magic and security people like wizards. We give the wizards some money, they cast spells, and the organization is protected. If we get hacked, then the wizards made a mistake. This thinking has led to some very bad cybersecurity investment decisions.

Time to treat cybersecurity as a business decision. Create cybersecurity priorities and investments based on levels of protection/readiness in a business context. We now have the tools and the understanding to do that.

We should start with ransomware.

Follow me on Twitter (@peproctor)

Comments are closed

2 Comments

  • EVETTE M MUNRO says:

    Hello Paul,

    This is an article that is spot on. Thanks for the clarity we much needed on ransomware and hostage situations using technology.

    There is a lack of a larger strategic view of ransomware. Paying ransoms is a terrible start of a ‘new culture’ in hostage situations. Businesses MUST avoid this by being proactive in managing their risk in cyber attacks. It starts at the highest levels of decision making like boards and CFO levels. IT will facilitate the discussion to make business understand their options.

    IT is a critical and pressing situation that needs quick and immediate attention with a long tail to implement and create better security.

    How can Gartner help in this culture shift?

    Evette Munro

  • Caroline Mikaella Soo says:

    Hi Paul,

    Ransomware had recently hit Colonial Pipeline and they reportedly paid nearly US$5 million dollars to the Darkside ransomware group within hours of having their network being crippled. What I think needs to be called out is the fact that there are sophisticated syndicates at work and with corporates’ exposure ever increasing with digitalisation, it’s ever more pressing for both security officers and business leaders to be aligned on the risks and costs involved in protecting key priorities.

    Aside from this timely article, I believe you and your colleagues have hosted webinars along this theme of how business priorities shall dictate our IT investments strategy which are fantastic work. I look forward to more to come and materials that will help us influence and shape the mindset of our key internal stakeholders.

    Caroline Mikaella Soo