You can’t cheat a data breach – why paying the ransom isn’t an option

If you need proof of why protecting your data with strong controls is so important, look no further than the Ashley Madison data breach and recent Netflix docuseries detailing it: Ashley Madison: Sex, Lies & Scandal. If you’ve never seen the TV show, here’s the quick rundown.

In 2015, a hacker group called ‘The Impact Team’ stole highly sensitive personal information from Ashley Madison, a social site for people looking to cheat on their significant other. The cybercriminals threatened to release the personal data of Ashley Madison members unless the company deactivated their website. When Ashley Madison refused, the hackers released 60 gigabytes of user data on the dark web, causing serious consequences in users’ lives. And while it might sound crazy, Ashley Madison’s response to the hackers completely aligned with the guidance of the Canadian Government and cyber-security experts: never pay a ransom or meet the demands of criminals.

Despite the recommendations from government agencies and cyber security experts across the globe, there are some companies that have experienced serious cyber threats and chosen to pay the ransom. It’s an interesting position and one we explore in this article.

Why do businesses go against government advice and pay the ransom?

There are a few reasons companies feel pressured to give cybercriminals what they want. Let’s take a look…

1. Worried about reputational hit

Companies may pay hackers to avoid admitting to clients that their data has been stolen during a data breach, fearing a hit to their reputation. However, criminals are deceptive which is why the government suggests not cooperating with them. If a company pays the ransom and the data is released anyway, they end up looking worse for not being honest and transparent with key stakeholders in the first place.

2. Worried about losing business

During a cyberattack, a company’s operations can be severely disrupted; websites may go offline, payments can’t be processed, and social media pages become inaccessible. To minimise these losses, businesses might think paying the ransom is the quickest solution. But there’s no guarantee the hackers will restore everything after payment, leaving the company in a worse situation than first started.

3. Worried about the cost of updating system security

Recovering data, getting back online, and implementing better security can be costly, especially for small-and-medium-sized businesses, so paying the ransom might seem cheaper in comparison. However, paying doesn’t ensure data recovery, and investing in and fixing security flaws is essential for long-term protection. In other words, paying the ransom may not fix the underlying issues, leaving the business vulnerable to another attack in the future.

How do you protect your business from cyber criminals?

So you now know why it’s not advised to pay the ransom, but what can you do to protect yourself from a data breach? Unfortunately, there have been instances where some small-and-medium-sized businesses have never recovered from a cyber-attack – it’s a scary thought, so prevention is essential to protecting your business. A great way to avoid an attack is implementing an ISO 27001 Information Security Management System Certification. This will not only arm from risks and tighten up security standards – but also will cement trust with stakeholders and show that measures are in place to shield from external and internal factors. It’s the best way to safeguard your organisation, guarantee business continuity, and establish trust with key stakeholders. Preventing a cyberattack can be costly, but not protecting your business will cost you more.

Certification made simple

Ready to navigate the complexities of ISO certification or need assistance with suspension and reinstatement? Contact Citation Certification today. Our experts are here to guide you through every step of the process, ensuring your compliance and certification success.

About our author