By Threat Track Security
If cyber criminals locked up all of your company’s data and demanded ransom to give it back, which types of data would you consider worth paying for? In a recent ThreatTrack Security survey on cyber-extortion, enterprise security professionals cited employee data such as social security numbers, addresses and salaries the most worthy of negotiating with extortionists.
37% of respondents prioritized employee information, compared with 36% who picked customer information such as credit card numbers and passwords, 30% intellectual property, and 26% confidential executive communications.
Employee and customer data tops the list of information security professionals would consider negotiating with cybercriminals to return or restore. 50% of respondents said they would never negotiate.
But while more than a third of respondents place high value on employee and customer data, the number shrank to 30% when asked if they would recommend negotiating at all to recover lost or stolen data from cyber extortionists.
Although technically a minority, 30% is still a significant figure. It points to an unfortunate conclusion in the cybersecurity trenches that sometimes negotiating with the enemy is the only choice – especially when it comes to preventing the exposure of sensitive employee and customer data.
It was clear that security pros place more value on some types of data than others. Further proof came in the answers to a question about whether organizations should set aside funds to negotiate with cybercriminals: 45% of respondents said “yes,” but roughly half of them (22%) said it “depends on the data.”
Survey participants also expressed sobering views regarding the probability their organizations are targets for cybercrime extortion: 75% of said “yes” because “all organizations have valuable data,” and 46% reported “we have experienced at least one breach or attempted breach” (28%).
There were some distinct differences in attitude between survey participants whose companies have already been targeted by cyber-extortion and those at companies that haven’t. For instance, 55% of respondents in victimized organizations would recommend negotiating with cyber extortionists, while 85% at companies that haven’t been targeted said they wouldn’t. To the question of setting aside funds to negotiate with cybercriminals, 43% at companies that have been targeted said “yes” and 65% at companies that haven’t responded “no.”
Differences aside, one thing is for sure: A vast majority of all survey participants (86%) believe other organizations have already negotiated with cybercriminals. And as for their own companies’ ability to defend against cyberattacks, there was some cautious optimism: 49% said their companies have invested in the technology and processes they need, while another 40% said they have but need to do more.
What do you think?
Are there any circumstances under which you would consider giving in to cyber-extortion?