Wednesday, March 16, 2016

Ransom Attack - Risks vs. Ethics

You’ve been hacked and your corporate reputation is being held for ransom. You can pay your attacker to give back your data or deal with the impact of it being stolen and sold on the black market, or leaked to the public.

What do you do now?

There are many scenarios to imagine; from disgruntled employees to corporate espionage, opportunistic hackers or targeted data theft. The list is practically endless.

The nature of the attack and demands of the attacker will ultimately drive your decision but what have you done to prepare? Do you have a corporate policy for negotiating with cyber terrorists?  Do you have a cybersecurity insurance policy? If so, what does it say about negotiations? Will you notify your partners, stakeholders, customers, and the public? These are important considerations that will impact your financial, reputational, and competitive advantage.

But what about the Ethics?

What is the ethical impact of paying a ransom? You may get your data back, but what guarantees do you have from your attacker that it won’t later be compromised, sold, or released? Will it embolden the attacker, leading to more frequent attacks with higher ransom requests?

What is the ethical impact of NOT paying a ransom? In a healthcare environment, such as the Hollywood Presbyterian Medical Center ransomware attack, the impact may be reduced quality of care, or even death of a patient. If sweeping the cyber-attack under the rug after payment to the attackers is your goal, consider the ethical impact of keeping such an event quiet. Would disclosing the attack hurt your reputation more than being found out later after trying to cover it up?

Maybe I’ve raised more questions than I’ve answered but these are questions you should be asking yourself and discussing in the board room.

I want to hear your feedback and some examples of how your organization has responded to such attacks. Please comment.

David W
- Dragon's Lair Security |
Also find me on: YouTube | Twitter | LinkedIn

Copyright © Dragon's Lair Security. All rights reserved.

No comments:

Post a Comment