80% of CISOs Would Consider Paying the Ransom if Attacked

October 21, 2021 - Chief information security officers (CISOs) across a variety of industries, including healthcare, cited ransomware as their current top concern, according to research conducted by CISOs Connect, Aimpoint Group, and W2 Research.

Despite the FBI’s guidance against paying ransoms, the report found that 80 percent of surveyed CISOs would consider paying the ransom if attacked. The healthcare, financial services, and retail industries were more reluctant to consider paying the ransom, likely due to the potential for regulatory backlash.

“Paying is obviously controversial, as it isn’t even a guaranteed short-term solution, and in the longer term it rewards threat actors while incentivizing them to continue ransomware attacks,” the report noted.

“Regardless, CISOs’ biggest cost worries come from recovery and restoration of business operations, which can be far more expensive than a currency payout. They’re also very concerned about data exfiltration and the resulting risks to their business.”

Over 70 percent of healthcare CISO respondents said they believed that their organizations would be successfully hit by ransomware at least once in the next year, compared to over 65 percent of total respondents.

Midsize organizations, ranging from 1,000 to 9,999 employees, were more likely to report being attacked in the last year and expecting to be attacked in the upcoming year.

This finding substantiates previous research that discovered significantly worse financial impacts from a cyberattack for midsize hospitals compared to larger ones. While large hospitals reported having to shut down for an average of 6.2 hours at $21,500 per hour after a cyberattack, midsize hospitals were hit hardest, shutting down for an average of 10 hours at a rate of $47,700 per hour.

Most CISOs were naturally concerned with the potential exposure of sensitive data that often comes along with a ransomware attack. Executives also reported being concerned about the cost of recovering and restoring operations and damage to their organization’s reputation.

Meanwhile, loss of employee productivity and regulatory fines were lower on the list of concerns for most industries.

“What does all of this mean? We offer the mercurial but truly valid answer of ‘it depends.’ For instance, if your organization provides critical services (think healthcare, or fuel and power distribution), then getting systems back online ASAP is the priority, while hard costs and other issues are secondary,” the report suggested.

“If your organization is smaller or less well-established, then the threat of having to shutter your entire business because of a crippling ransomware attack is a make-or-break issue. The bottom line is that breach impact is complex, and every facet must be considered and factored into business continuity planning according to each organization’s risk tolerance.”

When it comes to paying a ransom, CISOs had varying responses. Paying hackers gives them exactly what they want and does not guarantee the safe return of data. Of the respondents who experienced a ransomware attack, 36 percent paid the ransom and fully recovered their organization’s data. However, 32 percent of respondents did not pay the ransom and still fully recovered their organization’s data.

CISOs identified data backup and recovery, endpoint protection, email security, user awareness training, and patch and configuration management as some of the most crucial ransomware mitigation efforts.

“It is imperative to keep in mind that your adversaries are not standing still. Therefore, you shouldn’t be either. It is critical to continually assess your organization’s biggest vulnerabilities, strengthen your existing cybersecurity infrastructure and practice attack response plans,” the report concluded.

“Getting ahead of the curve, and staying there, also depends on considering additional layers of protections. These include more advanced and/or less widely deployed solutions already available in the market (e.g., zero trust networking, deception technology), and even completely new innovations/technologies, as they emerge.”