clock menu more-arrow no yes

How Much Would You Pay to Prevent a Breach?

A quarter of companies would pay hackers’ ransom.

iQoncept/Shutterstock

In a country divided by the upcoming election, President Obama garnered bipartisan support for a significant budget increase this week: $5 billion in additional cyber security spending. The one-third increase — to $19 billion in 2017 — marks an initiative from our country’s highest office to crack down on cyber threats — which are, in Obama’s words, “among the most urgent dangers to America’s economic and national security.” A similar attitude prevails on the global stage: The World Economic Forum named cyber attacks one of the greatest threats to business, above terrorist attacks and interstate conflict.

The escalated attention to cyber defense couldn’t come sooner, as government organizations and businesses struggle to prevent some of the most dangerous types of attacks.

In the 21st century, hackers are the bank robbers and data is the hostage.

Imagine thieves stealing your company’s computers, demanding money for their return and putting them through a trash compactor if you decline. This nightmare is frighteningly close to the reality of cyber ransom. Victims rarely have any alternative besides giving in to hackers’ demands. Unfortunately, cyber ransom is one of the more prevalent and lucrative forms of criminal hacking to threaten companies today.

In the increasingly monetized world of hacking, no target is safe from criminals holding important files hostage for ransom. One variation of this service, “ransomware,” functions as a malware that encrypts files on a computer, preventing the owner from accessing them to extort payment. Security professionals have not cracked the code on preventing ransomware attacks: Experts detected four million samples in the second half of 2015, up from 1.5 million two years ago.

The size and scale of the attacks reflect a new audacity on the part of perpetrators. In the past year, hackers have carried out ransom attacks on a British telecom provider, Greek banks, and a United Arab Emirates bank. In this last case, the bank refused to negotiate, and the hacker publicly posted the sensitive information of nearly one million customers in response. In the 21st century, hackers are the bank robbers and data is the hostage.

To negotiate with hackers?

Contrary to the philosophy of not negotiating with terrorists for fear of incentivizing future incidents, the FBI has actually recommended that victims pay ransoms in certain scenarios. While critics claim this strategy only validates the method as a financially viable solution for hackers, victims and law enforcement alike are essentially helpless. The economic argument for dissuading future ransoms doesn’t compel companies faced with losing access to critical information.

Realizing that their organization’s reputation would be on the line, 24.6 percent of IT departments reported that they would pay a ransom to prevent a data breach.

What do the security professionals on the front lines think? The grim stories of past victims certainly inform the reactions of security professionals when asked whether they would pay a ransom. Realizing that their organization’s reputation would be on the line, 24.6 percent of IT departments reported that they would pay a ransom to prevent a data breach. We’re not talking about trivial sums, either: 14 percent would pay more than one million dollars. This amount isn’t surprising when you consider the enormous financial damage a company suffers in the wake of a breach. Costs soar beyond tangible expenses from damage to a brand’s reputation. The average cost of a breach rose to $3.8 million in 2015, not to mention potentially the jobs of the security staff involved.

Rising price tags drive accountability for breaches

Are we at such a desperate state of cyber security where we’re just waiting to pay ransom for the next breach? Consumers have grown weary — 63 percent expect their data to be compromised in the next 12 months. It’s difficult not to ask the question, “Is something wrong with the way we protect information?”

It’s more expensive to be hacked than ever before — the average cost of a breach rose to $3.8 million in 2015.

While consensus places responsibility for cyber security with the CEO and board of directors, there is a huge gap between words and action. A global study of 109 banks found that only 6 percent of board members have technology experience, and 40 percent of the banks do not have any board members with a technical background. Lack of oversight at the top is a recipe for disaster, resulting in failure to properly enforce corporate governance. Companies may put off upgrading cyber defenses because of the cost, only to find that they underestimated the financial impact of a data breach.

Cyber security is embedded in a web of financial incentives, but the increasing costs of failure, i.e., suffering a data breach, indicate that companies will be held increasingly accountable for protecting data. For example, whether or not a company has cyber insurance in place factors into the decision to pay ransom. Companies with cyber insurance are more willing to pay up. Cyber insurance costs are rising, however, with certain companies even evaluated as uninsurable. In the same trend, the European Union introduced new regulations on protecting customer data — with more teeth than ever before. The maximum fine increased to €100 million or 5 percent of global revenue, whichever is higher. Combined with the increased average cost of a breach, it looks like it’s more expensive to be hacked than ever before.

Outgunned and outmatched?

Simply throwing more money at security does not appear to be the solution, however, as last year marked an increase in security budgets and breaches. Criminal hacking has transformed from solo hackers into a true industry with organized syndicates. These groups have the advantage of innovative, state-of-the-art tools. Are companies doomed to fall behind hackers in a cyber arms race?

An entire collaborative ecosystem has developed to support the hacking economy. There are sleek applications to automate stolen credit card credentials, and researchers even uncovered a ransomware-as-a-service (RaaS?) offering. Hackers regularly leverage free consumer cloud services in attacks against companies with security budgets in the millions of dollars.

An entire collaborative ecosystem has developed to support the hacking economy.

A paradigm shift favoring the good guys may lie in a parallel climate of innovation on the enterprise side: The consumerization of IT. The federal Office of Personnel Management, after suffering a blockbuster data breach, bemoaned the weak security capabilities of the outdated technology in place. Cloud services are disrupting legacy tech vendors, and not just because the applications are easier to use for employees. A majority of companies — 64.9 percent — now consider cloud services as equally or more secure than traditional legacy software. Many cloud service providers are innovative, venture-backed startups employing some of the best talent in the world. Security is their bread and butter, since their entire business model depends on not getting hacked. Leveraging the latest and greatest cloud applications gives companies the firepower to keep up with hackers.

An industry analogy compares cyber security to running away from a bear in the forest: You don’t need to be faster than the bear; you just can’t be the slowest person running away. The use of emerging technologies for IT and security is now a competitive differentiator. To bring light to the end of the cyber security tunnel, companies need to open the door to new technologies.


Rajiv Gupta is a co-founder and CEO of Skyhigh Networks, a cloud security and enablement company. He has more than 20 years of successful enterprise software and security experience, and is widely recognized as a pioneer of Web services. Reach him @trustedmind.

This article originally appeared on Recode.net.

Sign up for the newsletter Sign up for The Weeds

Get our essential policy newsletter delivered Fridays.