Should you pay a ransom?

By VRSA Chief Information Officer Karen Inman and VRSA Director of Member Services Marcus Hensel

Public bodies continue to make headlines for falling victim to ransomware and other cyber-based attacks.

While criminals pursue both business and governmental entities, government attacks are more visible because they can disrupt public services. The greater the disruption and the greater the outrage, the greater the demand for ransom.

When a public body is impacted and services are disrupted, this makes headlines. Following these events, the public wants to know why more was not done to protect the entity’s systems and data.

One area where criminals are making money by targeting government entities is through an increase in ransomware attacks. They have seen examples demonstrating that public entities will pay, and that these events are often covered by insurance. This means cyber incidents targeted to government entities will only increase.

Recently, two large U.S. cities chose not to pay, resulting in disruption and millions in costs to rebuild systems and upgrade security. Two recent attacks in Florida highlighted ransoms being covered under the entity’s cyber insurance policy. This not only informed criminals of the types of limits associated with cyber coverage, it has incentivized them to exploit the basic economic principle of price elasticity of demand.

Law enforcement and the U.S. Conference of Mayors advise against paying ransom due to worries of funding criminal enterprises or for fear of the unknown. It is argued that refusing to pay may be in the best interest for everyone, but it may not necessarily be in the best interest of the public body experiencing a disruption to service or permanent loss of data.

There are costs and options that each public body must evaluate in their decision on whether or not to pay a ransom.

The question is not easy and rests on the importance of the locked files and their confidence in the backups of their systems and data. Each public body must strategically decide their risk tolerance for lost data as it relates to their backup and recovery strategy.

The lower the tolerance, the greater the need for a solid backup and recovery strategy. One public body’s tolerance may be four hours. For others, the tolerance may be several days. Tolerance must be considered separately if backups are infected with ransomware as well as the operational systems. The backup and recovery strategy should be routinely reviewed to address evolution of the ransomware code, some of which has now been designed to bypass firewalls and infect backup systems.

Mitigation for cyber security includes three focus areas: physical, technical, and administrative. An effective cyber mitigation strategy has elements from all three areas and should be reviewed regularly and adapt to emerging and evolving threats.

Physical controls include protecting hardware and monitoring access to buildings, offices or server rooms. Key fob access which limits access to secure areas based on job role, security cameras, and fire suppression systems are common examples of physical controls.

Technical controls are tools to prevent unauthorized access to electronic systems, or tools that highlight potentially malicious emails. These includes antivirus software, firewalls, and e-mail filters. More advanced tools and detection from this space include penetration testing, vulnerability testing, and phishing testing. It is recommended that these more advanced tests be completed at least annually.

With the increased number of phishing and fraudulent emails, an example of an excellent technical control is providing alerts for all e-mails originating outside of an organization. This is often displayed in a highlighted line with wording such as: “Notice: This message originated outside of <Organization’s Name>. Use caution when opening attachments, clicking links or responding to requests for information.”

Administrative controls include information technology and information systems policies and procedures as well as training. These are often the most effective means for preventing a cyber incident. Staff are the last line of defense, yet are often the weakest link in the defense chain.

Criminals exploit human weaknesses such as eagerness to please or tendency to click links, open attachments or secure credentials. Cyber security training requires commitment in time. While time consuming, training also has the greatest impact in preventing a cyber incident for your organization.

The best way to avoid a ransom is to have the appropriate controls and protection in place to minimize the likelihood of being infected with ransomware. If the appropriate controls and protection are in place, it is easier for the affected entity to maintain the public’s trust in the event of an incident.