<- All Blogs
Cyber Workforce Resilience

To pay, or not to pay, how to think clearly about ransomware demands

Written by
Evander Pierre
Published on
April 12, 2022

Our recent Cyber Workforce Benchmark report analyzed data from over half a million exercises and simulations we have run for more than 2,000 organizations around the world.

It provides some great insights into human capabilities, and limitations, when countering cyber-attacks.

When we tested crisis response teams with different scenarios – ransomware proved the most difficult for people to deal with. After each simulation we asked teams how confident they were in their performance. Seven of the 10 crisis scenarios with the lowest confidence in the decision made, were ransomware simulations. People overwhelmingly do not want to pay the criminals, but equally fear the consequences of not paying.

There were also big differences between different sectors. One in four education teams opted to pay up, compared to none of the infrastructure teams. Some 18 percent of government teams agreed to pay – in the face of official advice to never pay.

These numbers reflect the real world – although estimates vary wildly. But there is no doubt that a large percentage of ransomware demands are paid. There is a well-established industry in negotiating and arranging payment and there are few security firms or experts who genuinely believe there are no circumstances where paying up may be the right decision.

Why is it so hard?

Ransomware provides a classic example of a ‘wicked problem’. That is – a challenge with no clear answer or resolution. And even when a decision is made you still do not know if you made the right call. Teams were overwhelmed with data and exhausted by trying to make decisions which they cannot test. Wicked problems are also irreversible – once the ransom is paid there is no going back.

This also matched with another finding of the report – we analyzed the inherent biases of security professionals. The majority of cybersecurity professionals are far more interested in the business of stopping the initial access by the bad guys, and much less interested in the ‘downstream’ consequences of any hack.

But a well-prepared organization must be ready to counter every step of an attack.

How to build better team decision making

That requires regular training and learning to ‘think about thinking’. Frequent training ­­– at least once a month – builds that cognitive ability and agility. In a crisis there is a propensity for the untrained brain to seek to block outside noise and focus on what you think you know. But relying on gut feeling or existing knowledge can mean ignoring the reality of what is actually happening.

At the very least training will allow you to be aware of when this is happening to you. Leaders in a crisis need to be more, not less, open to suggestions outside the norm.

It is this flexibility which is crucial to a modern defensive strategy. Of course, you need a plan and you need to know everyone’s role. But you also need to have the capability to think fluidly and quickly and be aware of what might be tainting your decision making.

Embedding and practicing and evolving these skills across the organization will provide the operational resilience necessary for an effective defense.

Please have a look at the whole Cyber Workforce Benchmark report – we hope it shows how human knowledge, skills and judgement can play a bigger role in mitigating the impact of cyber-attacks in organizations of all sizes and types.

Ben Hockman

Crisis Sim Management and Response Lead

 

Share this post