Skip to content
Compliance & Risk

To Pay or Not to Pay: Managing Government Risk in the Age of Ransomware Attacks

Thomson Reuters Institute  Insights, Thought Leadership & Engagement

· 6 minute read

Thomson Reuters Institute  Insights, Thought Leadership & Engagement

· 6 minute read

A webinar conducted by the Attorney General Alliance & Thomson Reuters explored the overall cyber-threat landscape for government agencies & corporations

 We’ve all heard the horror stories of ransomware attacks seizing up government systems and vital records such as in the recent Robinhood cyber-ambush where hackers crippled parts of computer systems that run Baltimore’s government.

Now imagine cyber-criminals getting into your client’s systems, rendering these records unreliable or worse, destroyed forever (because you don’t have proper backups) — unless you acquiesce to the demand of the attacker. Your cryptocurrency or your files, is how it typically goes.

Do you pay these ransomware demands?

A group of panelists, including Colorado Attorney General Phil Weiser, addressed this concern on a recent webinar, Cybercrime & Ransom Attacks, conducted by the Attorney General Alliance and Thomson Reuters. The group explored the overall threat landscape, best practices for managing your risk, and cyber-incident response planning for both corporate and government agencies.

Backing Up Your Systems

Panelist Tim Murphy, CEO and President of Consortium Networks and former Federal Bureau of Investigation (FBI) Deputy Director, stated that although the FBI generally warns against paying ransomware to cyber-attackers because it emboldens criminals, he urged the audience to think carefully about risk management.

“It’s a risk management decision, whether you’re in the public or private sector,” he said. “It’s a shot in the dark whether you will get your files back. Only 60% to 70% of the organizations that actually pay the ransom get their files back.”

Oftentimes if an organization does pay the ransom — such as in the Hollywood Presbyterian Medical Center incident where the hospital paid $17,000 in Bitcoin to regain control of its medical records — the concern remains that the hackers will come back a second time.

That is why backing up your systems is mission critical, Murphy explained.

Another panelist, Mel Gates, Senior Legal Editor for Privacy & Data Security at Thomson Reuters, agreed that this is a business management decision. The most critical consideration is whether you have your files independently backed up, she said, adding that if you don’t have your files secured, you may be out of luck.

Forum
Tim Murphy, CEO and President of Consortium Networks

Your next step is deciding whether the files that the hackers breached are indeed compromised or not. Murphy said that oftentimes cyber-criminals are merely bluffing.

The key is being prepared. Gates stated that once an attack happens, you must accept that bad guys were and likely still are in your network and are probably monitoring it for your passwords and other security data.

Prevention is Real

Here is where a comprehensive information security program is key. Once you have been the victim of a ransomware attack, “…now you have to go into heightened mode of rebuilding your environment, resetting your authentication controls, and accounts and passwords for every app and every system from the ground up,” Gates said.

Prevention is real, she said, but it requires commitment from your organization. Gates has seen two big mistakes that organizations tend to make in their information security programs. First, she warned not to fall for the latest and greatest cybersecurity technology. “If you get pulled into that too much, you avoid focusing on the essentials, which is how most attacks happen,” she noted. Second, don’t treat cybersecurity as a short-term project with a start and end date.

“It requires a long-term commitment,” Gates explained. “The decision doesn’t stop at ‘to pay or not to pay’ is my point — it’s now about recovery mode.”

Panelists also pointed out several tactics that are an important part of protecting your data from cyber-hackers, including:

Know Your DataMany public sector organizations have smaller IT resources available to them; but that should not stop them from knowing the assets and data they have, including hardware and software, as well as who owns and maintains it. Also, keeping up on the latest software patches to remediate known cyber-vulnerabilities is crucial.

Train Your People & Continuously Monitor — So, if continuous patching can help stop cyber-criminals from entering your systems through a technological vulnerability, what about human vulnerabilities? The answer from the group: Train your people. Gates stressed that “training” does not mean just reading a policy to them and once a year; rather, it is about engendering a culture of cybersecurity.

Mel Gates
Mel Gates, Senior Legal Editor for Privacy & Data Security at Thomson Reuters

“It is a culture from the top, from the middle, and the bottom up,” she said. “You need a pervasive strategy.” Once you have those preventive measures in place, the next important step is continuous monitoring so if a bad actor does get into the system, they aren’t in there for days or weeks or longer before they’re detected and stopped.

Readiness Exercises — The panelists suggested that as you develop your cyber-incident response plan, it is critical to ensure you have engaged your entire agency, enterprise, and stakeholder community. “This is not just an IT issue,” Gates added. “This is an organizational issue and needs all parties involved including executive leadership.” Once those plans are in place, you must test the plans and make sure there are several lines of communication open if the network is breached. Murphy also suggested a tabletop exercise to test the organization’s readiness and its incident response plan, examining all aspects of the plan — from who owns what part of the response both internally and externally, to board actions, media and legal responses. The tabletop exercise is not intended to stop employees from clicking on phishing emails, that is accomplished through continuous training and employee engagement, Murphy stressed.

So, do you pay or not pay? “I think the FBI today will still recommend not paying, but ultimately it is a public or private business decision,” said Murphy. “You’ve got to have a team, have tabletops, have an incident-response plan, and have the experts who know what they are doing.” If you have those things, you are in a better position to make the call to pay or not to pay depending on your individual circumstances.


You can listen to the recent webinar, Cybercrime & Ransom Attacks, conducted by the Attorney General Alliance and Thomson Reuters, here.