To protect or to pay?
New research conducted by Veritas Technologies, reveals that UK consumers overwhelmingly believe businesses should stand up to hackers and refuse to pay ransoms.
However, in the event that the consumer’s own personal data is compromised in an attack, they appear to have a change of heart wanting businesses to surrender to those criminals an average of £678 per user.
With recent high profile hacks reportedly breaching hundreds of thousands of users’ records, the expectation from users would be for the business to pay hundreds of millions of pounds in the hope that their data is returned. This is on top of the cost to businesses of down-time, brand reputation and customer trust.
80% of the 2,000 UK survey respondents think that businesses should stand up to hackers who demand money and refuse to pay ransoms. Yet, when asked how much they wanted their suppliers to pay a ransomware attacker in the event that their own data was compromised, the average respondent specified the following amounts for different data types:
Personal finances |
£1,088 |
Child’s data |
£926 |
Government records |
£899 |
Medical records |
£884 |
Personal cloud data |
£784 |
User credentials |
£694 |
Webmail |
£618 |
Customer records |
£514 |
Social media Dating profile / messages |
£455 £448 |
Basic personal data |
£427 |
Playlists / video streaming information |
£405 |
Average |
£678 |
|
|
Additionally, over two-thirds (68%) thought they should be personally compensated if the company still can’t retrieve the information that’s been stolen.
Simon Jelley, VP Product Management at Veritas Technologies, said: “Whilst it may initially seem like businesses can’t win regardless of whether they pay or not, they are actually getting a clear message from consumers: people want their providers to escape the dilemma of whether to pay, or not to pay, by avoiding the situation in the first place. Our research shows that, if businesses want to please their customers, they need to prepare for an attack and be ready to recover from it - so, if the worst happens, they have tried-and-tested recovery procedures in place and there’s no need to pay out.”
Survey responses about how businesses should prepare confirmed this. The two most essential things that consumers said businesses should have in place are protection software [85%] and backup copies of their data [64%]. Businesses that have adopted these technologies are generally considered better able to respond to ransomware attacks since they can normally either prevent an attack, or safely restore their data without needing to pay the attackers’ demands.
Jelley, continued: “In the past, ransomware was something that only affected a few unlucky people who were forced to pay a couple of hundred pounds to regain access to their locked-out laptops. Nowadays, it’s a multibillion-pound-a-year industry, as cyber criminals increasingly target vulnerable organisations. The costs don’t stop with the ransom payout; our survey also showed that people want to see fines and compensation too.
"On top of this, there is the huge cost of getting a business back on track with down-time, loss of production, and challenges to deliver or bill for products. As a result, global ransomware damage costs are estimated to exceed £9bn annually this year, and this does not take into account the cost of reputational damage to a company’s brand.”
These findings come from a global piece of research, which asked consumers in China, France, Germany, Japan, United Kingdom and United States what they thought about the issue of ransomware.
In findings that some CEOs might find alarming, over a third (35%) of UK consumers held the leader of the organisation personally responsible for the attacks. Of these:
- Over one-fifth (22%) said the CEO should face a prison sentence;
- One quarter (25%) said the CEO should be banned from running companies in the future;
- Nearly two-fifths (38%) said the CEO should pay a fine;
- Almost two-fifths (36%) said the CEO should resign;
- Over one-fifth (22%) said the CEO should take a pay cut or be demoted;
- And almost two-fifths (39%) said the CEO should publicly apologise.
Jelley, concluded: “We agree with the public when it comes to not paying the ransom. Paying a ransom can often propagate the problem and provide attackers with more resources to continue developing more frequent and more advanced attacks. Plus, attackers will typically leave vulnerabilities in the devices of those businesses that have paid up, enabling them to come back again for recurring revenues.
"And, whether companies choose to pay the extortion or not, the real cost of ransomware is down-time, lost productivity and reputational damage. We believe it’s far better then, to have tried-and-tested data protection solution in place before the hackers come with their demands.”