You’ve been hacked and your corporate reputation is being
held for ransom. You can pay your attacker to give back your data or deal with
the impact of it being stolen and sold on the black market, or leaked to the
public.
What do you do now?
There are many scenarios to imagine; from disgruntled employees to corporate espionage, opportunistic hackers or targeted data theft. The list is practically endless.
The nature of the attack and demands of the attacker will
ultimately drive your decision but what have you done to prepare? Do you have a
corporate policy for negotiating with cyber terrorists? Do you have a cybersecurity insurance policy?
If so, what does it say about negotiations? Will you notify your partners,
stakeholders, customers, and the public? These are important considerations
that will impact your financial, reputational, and competitive advantage.
But what about the Ethics?
What is the ethical impact of paying a ransom? You may
get your data back, but what guarantees do you have from your attacker that it
won’t later be compromised, sold, or released? Will it embolden the attacker,
leading to more frequent attacks with higher ransom requests?
What is the ethical impact of NOT paying a ransom? In a
healthcare environment, such as the Hollywood
Presbyterian Medical Center ransomware attack, the impact may be reduced
quality of care, or even death of a patient. If sweeping the cyber-attack under
the rug after payment to the attackers is your goal, consider the ethical
impact of keeping such an event quiet. Would disclosing the attack
hurt your reputation more than being found out later after trying to cover it
up?
Maybe I’ve raised more questions than I’ve answered but
these are questions you should be asking yourself and discussing in the board
room.
I want to hear your feedback and some examples of
how your organization has responded to such attacks. Please comment.
David W
- Dragon's Lair Security
www.dragonslairsecurity.com | info@dragonslairsecurity.com
No comments:
Post a Comment