Is Paying to Delete Stolen Data Bonkers?

I sort of stole Brian Krebs’ blog post title and then changed it completely for the counterpoint.

Brian’s actual title (nothing against Brian; I have spoken with him multiple times; he is a good guy) is WHY Paying to Delete Stolen Data is Bonkers .

In concept, I don’t argue with it.

Brian’s claim is that crooks are not honorable, which is kind of a sad state of affairs. If you can’t trust your local extortionist, who can you trust?

First part of the conversation: Brian says that currently, about half of the ransomware attacks are also data extortion attacks meaning that in addition to making your data unavailable to you, the hacker also steals your data and threatens to do something bad if you don’t pay the ransom.

Brian quotes data from Coveware who says that often, even after the victim pays the ransom, at least some of the data published anyway.

They have also seen many cases where some of the data published before companies even have a chance to pay.

Finally Brian correctly points out that unlike getting a decryption key and decrypting the data, paying a ransom for a crook to destroy your data could lead to multiple extortion efforts over time since you have no way know if they really will destroy any or all copies of the data.

That is the end of Brian’s thoughts.

But he allows comments. The commenters are likely all techies and seem to have a “the world is black or white view”.

The writers suggest that paying ransom should be illegal and that insurance companies should not be allowed to pay a ransom (apparently these folks are not aware of the recent DoJ announcement).

One asked what if paying the ransom was the only way to restore your business and your livelihood? What if you are a doctor and your patient records are all encrypted. One person who clearly does not understand medicine said that you can always recreate the records by talking to the patient and/or redoing some tests. Really. Glad he is not MY doctor. Other writers said that if person goes out of business, tough. Not his problem. After all, good security is easy and cannot be compromised, right? Just ask any company that has been hacked whether protecting their data is easy.

All that being said, ransomware is a multi-billion dollar business.

Mostly, that is because businesses seem to figure that it is not going to happen to them. As a result businesses choose not to spend enough money on cybersecurity. IF something happens, which they figure it won’t, it is a legitimate business expense and they deduct it from their profits – for the part that is not covered by insurance. That doesn’t make it free, but it does make it less painful.

What might be interesting is to change the law to say you can do what you want, but proactive cybersecurity costs are deductible, while incident response costs are not deductible. If paying for a breach comes out of the shareholders/owners pockets directly, that might change some attitudes.

We have seen some fines, but even for the big breaches, the fines are small, so they are not much of a disincentive. An example is the recent Marriott breach. The “proposed” fine was 100 million British Pounds. The “negotiated” fine is 18 million Pounds.

That is about five cents for every record exposed.

What if the law says that the penalty is, say, $1 per record exposed and the regulator cannot negotiate that down like you do with a speeding ticket.

In that case, Marriott’s fine would have been about $400 million. Much more of an incentive than five cents per record.

I don’t have a great answer.

When all we were worried about was getting your systems back online, then good backups and a well thought through recovery plan solves the problem.

Now the problem is more complex.

This is a business risk problem and an especially big problem those in regulated industries. That means that risk owners (like the CEO, COO and CFO) need to be involved in the conversation.

The federal government is at the beginning of a five year project to require companies that do business with them (initially the DoD) to be certified periodically. If they do not get certified, they CANNOT be awarded new contracts. That is one case where security is binary.

There is no simple answer but business owners play a key role. They have to step up to the plate and understand that cybersecurity can mean the difference between staying in business or closing down. Then have conversations with their managers and with IT to figure out what each business should do.

Credit: Brian Krebs

by