A new research study from software firm Veritas Technologies has found that consumers overwhelmingly believe businesses should stand up to hackers and refuse to pay ransoms. However, in the event that the consumer’s own personal data is compromised in an attack, they appear to have a change of heart wanting businesses to surrender to those criminals an average of $1,167 per user.
With recent high-profile hacks reportedly breaching hundreds of thousands of users’ records, the expectation from users would be for the supplier to pay hundreds of millions of dollars in the hope that their data is returned. This is on top of the cost to businesses of downtime, brand reputation, and customer trust.
Seventy-one percent of the 12,000 survey respondents, when asked generally, think that businesses should stand up to hackers who demand money and refuse to pay ransoms. Yet, when asked how much they wanted their suppliers to pay a ransomware attacker in the event that their own data was compromised, the average respondent specified the following amounts for different data types:
|Personal cloud data||$1,336|
|Basic personal data||$886|
|Dating profile / messages||$873|
|Playlists / video streaming information||$761|
Additionally, nearly two-thirds (65%) thought they should be personally compensated if the company still can’t retrieve the information that’s been stolen.
“While it may initially seem like businesses can’t win regardless of whether they pay or not, they are actually getting a clear message from consumers: people want their providers to escape the dilemma of whether to pay, or not to pay, by avoiding the situation in the first place,” said Simon Jelley, VP product management at Veritas Technologies:
“Our research shows that, if businesses want to please their customers, they need to prepare for an attack and be ready to recover from it – so, if the worst happens, they have tried-and-tested recovery procedures in place and there’s no need to pay out.”
Survey responses about how businesses should prepare confirmed this. The two most essential things that consumers said businesses should have in place are protection software (79%) and backup copies of their data (62%).
Businesses that have adopted these technologies are generally considered better able to respond to ransomware attacks since they can normally either prevent an attack, or safely restore their data without needing to pay the attackers’ demands.
“In the past, ransomware was something that only affected a few unlucky people who were forced to pay a couple of hundred dollars to regain access to their locked-out laptops. Nowadays, it’s a multibillion-dollar-a-year industry, as cyber criminals increasingly target vulnerable organizations,” Jelley continued.
“The costs don’t stop with the ransom payout; our survey also showed that people want to see fines and compensation too. On top of this, there is the huge cost of getting a business back on track with downtime, loss of production, and challenges to deliver or bill for products. s a result, global ransomware damage costs are estimated to exceed $11.5 billion annually this year, and this does not take into account the cost of reputational damage to a company’s brand.”
In finding that some CEOs might find alarming, as many as 40% of consumers held the leader of the organization personally responsible for the attacks. Of these:
- Nearly a quarter (23%) said the CEO should face a prison sentence;
- Nearly one in three (30%) said the CEO should be banned from running companies in the future;
- Over one in three (35%) said the CEO should pay a fine;
- Over a quarter (27%) said the CEO should resign;
- A quarter (25%) said the CEO should take a pay cut or be demoted;
- Over two-fifths (42%) said the CEO should publicly apologize
“We agree with the public when it comes to not paying the ransom. Paying a ransom can often propagate the problem and provide attackers with more resources to continue developing more frequent and more advanced attacks. Plus, attackers will typically leave vulnerabilities in the devices of those businesses that have paid up, enabling them to come back again for recurring revenues,” Jelley said.
“And, whether companies choose to pay the extortion or not, the real cost of ransomware is downtime, lost productivity and reputational damage. We believe it’s far better then, to have tried-and-tested data protection solution in place before the hackers come with their demands.”