It’s like the plot of a James Bond movie. Hackers take control of a global organization’s computer systems and threaten to destroy all its records, steal its intellectual property, and drain its bank accounts unless a hefty ransom is deposited into an untraceable offshore bank account by the end of the day.
Except instead of Agent 007 suavely tracking down the anonymous would-be thieves and saving the organization from ruin, its leaders give in—and pay the ransom.
To a little-noticed but alarming degree, so-called “ransomware” attacks on governments, businesses, and other entities jumped last year. In all, they rose 41% from 2018 to 2019 to more than 205,000 globally, according to newly published data. “Every organization is vulnerable regardless of size, geography, or industry,” says Aileen Alexander, a senior client partner and co-head of Korn Ferry’s Cybersecurity practice. Though not all firms pay, the security firm Coveware estimates the average payout for those that did was about $85,000 during last year’s fourth quarter, and more than $190,000 on average in December alone.
William Mayville Jr., a senior adviser to Korn Ferry’s Cybersecurity practice, says organizations have more to lose financially from the inability to conduct business than they do from just paying the ransom. “Hackers know they can make a quick buck with ransomware,” says Mayville, a retired US Army lieutenant general who served as deputy commander at US Cyber Command, the Department of Defense agency that among its many functions defends DOD information networks.
To be sure, ransomware is essentially a way to monetize a security breach. Unlike the cybersecurity breaches at Equifax, Capital One, Marriott, or others that have made headlines in recent years, in a ransomware attack, the data isn’t released or leaked or sold. On the contrary, in most cases, data and infrastructure aren’t compromised at all—it’s just not able to be accessed by the owner. While there is certainly the threat of disclosing or publishing the hacked data, more often than not once the ransom is paid the information is released back to the owner.
While the idea of paying never makes a firm happy, Craig Stephenson, a senior client partner and managing director of Korn Ferry’s North American CIO/CTO practice, says the sums are still a relatively inexpensive way of getting valuable data back uncompromised. He says while it seems unorthodox to pay the “attackers,” the ransom is likely a significantly smaller amount than what it may cost to address a threatening public issue or the time and money necessary to rebuild the confidence in the particular brand or company.
In fact, time—or the lack of it—is one of the key levers hackers use to their advantage in a ransomware attack, says Jamey Cummings, a senior client partner and co-leader of Korn Ferry’s Cybersecurity practice. Hospitals, for instance, are frequent targets of these kinds of attacks, he says, in part because people’s lives are on the line so they have to make quick decisions. Hackers “go after those they believe are the most vulnerable.”
Experts suspect that the actual number of ransomware attacks is much higher than the reported number, citing reasons ranging from fear of job loss, investor withdrawal, and reputational damage. Moreover, while public companies are required to report cyberattacks to regulators, private organizations are under no such mandate. Stephenson says reporting attacks to law enforcement often may cause lengthy investigations that, though necessary, may not always drive the desired outcomes or results.
Of course, there’s no guarantee that once a hacker is paid they won’t simply raise the ransom fee or keep hacking the organization. After all, if a ransomware attack worked on a company once, it will likely work again. “A hacker can keep repeating a ransomware attack until the security flaw is fixed or they are caught or reported,” says Mayville.
He says organizations can undertake a few basic defensive actions to mitigate the impact of a ransomware attack. Frequently backing up data and storing it on different networks is one way, for example. Other ways include reducing the number of outside apps the system uses, fixing software vulnerabilities immediately, and properly training and educating employees on what to look for and whom to alert if something appears suspicious. “It’s all about being proactive and having a response plan to manage risk,” says Alexander.