March 27, 2023 Hacked: Does it pay to pay up? By Prasanthi Vasanthakumar, Institute of Corporate Directors Let’s dispense with the suspense: About 50 per cent of organizations that have been hacked pay the ransom. But is that the correct course of action? To weigh the pros, cons, costs and benefits of paying the ransom, the ICD’s Manitoba Chapter hosted the webinar, To Pay or Not To Pay, featuring Dr. Michael Parent, Professor at Beedie School of Business, Simon Fraser University, Academic Director for the ICD-Rotman Directors Education Program (DEP), and National Academic Director for the ICD’s course, Oversight of Cybersecurity in an Era of Digital Acceleration. Ransomware attacks, in which a company’s data is locked, encrypted or stolen, have grown by 500 per cent in the last three years. In 2022, ransomware attacks hit organizations every 14 seconds, and the average ransom demand was US$925,000. In 2021, 85 per cent of Canadian companies were successfully hacked. Due to their inevitability, cyberattacks are a matter of when, not if.1 But if to pay or not to pay is the question, there is no right answer, says Parent. “It’s one of these fundamental existential questions that boards have to deal with.” The case for paying up For many companies, there is a compelling business case to pay the ransom. On average, hackers spend about 164 days inside company networks before making their move. This gives them time to infect many systems (including backups), identify high-value items, learn about the business (e.g., its insurance policies and incident response plans), and leave no trace behind.2 “One of the reasons they spend time in your network is to know exactly the value of your data and exactly how much it will cost for you to recover,” says Parent. “The business intelligence they gather allows them to demand a ransom that is unique to you.” Calculating the business case Parent recommends crunching the numbers to determine how much a ransomware event will cost the organization. Recovery costs depend on the size of the database, time to restore data, data auditing to ensure integrity, and other expenses. If these costs amount to $500,000, for example, paying a ransom demand of $300,000 will make business sense because it is a cheaper and faster solution. Special circumstances Costs aside, particular instances may warrant paying the ransom. According to cybersecurity expert Matthew Baker, these include: organizations that provide essential services that don’t have time to restore operations; firms that can better understand system vulnerabilities if the hackers are willing to share this information as part of the ransom negotiation; and companies that may be damaged by the release of sensitive proprietary information.3 Is Elon Musk in trouble again? Elon Musk may be in this last category right now. Ransomware gang LockBit claims to have breached a SpaceX supplier and stolen blueprints. The gang is threatening to release the design of SpaceX rockets if Musk doesn’t pay up. “Elon Musk we will help you sell your drawings to other manufacturers—build the ship faster and fly away,” wrote LockBit on the dark web. Different reasons can factor into a company’s decision to cough up the cash. “It’s an honest crime because 75 to 85 per cent of the time, paying the ransom will provide a valid decryption key [to restore access],” says Parent.4 The case for not paying While these virtual villains may be committing an honest crime, there is no honour among thieves. As security expert David Lindner tells Forbes, paying a ransom doesn’t guarantee the safe return of data. It also paints a target on the company as one that has an insecure system and is willing to pay up.5 But beyond the probability of a repeat attack, there are legal and moral considerations. Legal considerations Both the Royal Canadian Mounted Police (RCMP) and Federal Bureau of Investigation (FBI) strongly oppose paying the ransom for two main reasons. First, it incentivizes criminal activity and second, it identifies the payer as willing to pay. Nonetheless, paying up is only illegal if the hackers are part of a known terrorist organization or on the sanctions lists of Canada or the United States. A moral dilemma Legalities aside, paying the ransom has moral and ethical implications. Companies must decide if meeting criminal demands aligns with their organization’s values, culture and code of ethics. They should also consider how stakeholders like employees and customers may react to their decision to pay up.6 Indigo’s approach Indigo Books and Music ostensibly chose to take the high road when it was hacked earlier this year. “Given we cannot be assured that any ransom payment would not end up in the hands of terrorists or others on sanctions lists, Indigo has determined it would be inappropriate to pay the ransom,” it said in a statement to the Financial Post. But doing the right thing isn’t easy. Experts say the bookstore chain likely lost millions of dollars, while employee data, including medical and immigration information, were potentially released on the dark web. Undoubtedly, a ransom demand puts an organization in a difficult position. To help guide their thought process, boards can use Graham Tucker’s 5-question model to ask if a decision is profitable, legal, fair, right, and sustainable or environmentally sound.7 Best practices for boards To get ahead of any impending cyberattack, Parent offers five recommendations for boards. Talk about it Boards must decide if they will ever pay the ransom, and under what circumstances they will do so. Record the payment on paper If the ransom is paid and recorded electronically, it is safe to assume future hackers will read it when infiltrating an organization’s systems. “Record it on paper and keep it in paper files in a locked filing cabinet,” advises Parent. Have a cyberbreach plan As part of their due diligence, boards should ensure a cyberbreach response plan or playbook is integrated into the company’s incident response and disaster recovery plans. The board should approve these plans well before a ransomware attack. Participate in tabletop exercises Boards should take part in a cyberbreach tabletop exercise at least once a year. These exercises allow directors to understand how a cyberattack feels and the questions that may arise. “Understanding the mechanics [of a cyber event] and the physiological reaction to it becomes important,” says Parent. Keep your finger on the pulse Boards should monitor training and culture around cybersecurity in the organization, and review test results around phishing emails, for example. At every board meeting, directors should see a cyber-resilience report that addresses questions about holes, current threats, actions taken and resources needed. Cyberbreaches occur for two main reasons – from the action of employees clicking on phishing emails, and from the inaction of organizations that fail to secure vulnerabilities, such as patching software or protecting remote access. Getting less than 10 per cent of employees to click on phishing emails is “a spectacular result,” says Parent. But part of that behaviour comes down to organizational culture, which starts at the top. “Changing people’s behaviour and creating a culture of security and cyber-resilience starts with the board,” says Parent. “How robust is your own practice?” ‘Hope is not a good strategy’ According to one report, profits from ransomware attacks dropped by 40 per cent in 2022 because companies refused to pay up. However, as long as enough victims cough up the cash, ransomware attacks will remain rampant. Indeed, cybercrime is big business and is expected to inflict US$10.5 trillion in damages annually by 2025 on a global scale. “Hope is not a good strategy,” says Parent. The best thing boards can do is to be prepared. Sources 1,4,7 The Hawkamah Journal, 19. Ransomware: Should you pay? (2022) 2,6 The Conversation Before Paying a Ransom, Hacked Companies Should Consider Their Ethics and Values (2022) 3,5 Forbes. Why Experts Disagree On Whether Businesses Should Pay Ransomware Demands (2022) Share this