Companies in the construction industry were the most likely to say they would consider paying a ransomware demand..
Photo: rob engelaar/Agence France-Presse/Getty ImagesIt’s one of the trickiest questions a company can face: pay a ransomware demand, or don’t.
Among cybersecurity leaders surveyed by WSJ Pro Research, 57.5% said they wouldn’t pay, leaving 42.5% who said they would at least consider paying—with a wide range of responses depending on what industry a company is in. WSJ Pro Research provides data and research as part of The Wall Street Journal’s professional information offerings.
Law-enforcement agencies including the Federal Bureau of Investigation have advised victims not to pay ransomware attackers, who encrypt the target’s data and demand a ransom—typically in bitcoin—to unlock it. Paying creates an incentive for more cybercrime and doesn’t always result in the encrypted data being restored, authorities say.
Still, about 74% of survey respondents in the construction industry said they would consider paying a ransom, making construction companies the most likely to contemplate it. Technology firms were next, with about 57% saying they would consider paying. The sector least likely to consider paying was government, with only 18% of respondents saying they might.
Why pay?
Brian Kirk, a former cybersecurity leader in the construction industry who now leads the cybersecurity team at consulting firm Elliott Davis LLC, cites a couple of reasons why construction companies might be more willing than others to meet ransom demands. One is that the companies generally have a decentralized IT infrastructure that is often spread out among dozens of contractors and subcontractors. That makes ransomware attacks harder to contain, making recovery more difficult and expensive if a company decides not to pay a ransom. And the industry faces tight deadlines on construction projects, which increases the pressure to unlock scrambled data quickly. Construction companies also tend not to spend enough on cybersecurity technology and personnel, he says.
“Your choice is paying the ransom or starting over from scratch, and if you’re in the middle of a big construction project, then starting over isn’t an option,” says Mr. Kirk.
There have been a handful of recent reports of ransomware attacks on construction firms. Bouygues Construction, a subsidiary of the French conglomerate Bouygues SA, disclosed a ransomware incident in January but provided few details. A spokesman for the company said in an email that Bouygues didn’t pay a ransom and that it was able to restore its data on its own.
Mr. Kirk says most ransomware attacks against construction firms go unreported, because they can damage a company’s reputation. Many data-breach notification regulations only apply to sensitive consumer data at public companies, and can make exceptions for ransomware if the data is simply locked up and doesn’t leave the company.
Technology companies tend to be more willing than many others to pay a ransom for different reasons, says Sean Brooks, director of the Citizen Clinic at the University of California, Berkeley’s Center for Long-Term Cybersecurity.
Technology firms generally have a more sophisticated understanding of their computer infrastructure than many other organizations and so would likely have a better understanding of how much money it would cost to not pay a ransom, Mr. Brooks says. If a company is able to accurately crunch the numbers and determine that the cost of not paying far exceeds the amount demanded, it may be a straightforward decision to pay, he says.
“Tech companies almost certainly have a much more nuanced sense of what the recovery from a ransomware attack looks like—what the lead time is for recovering the assets, what the opportunity cost is,” says Mr. Brooks. “A lot of companies in the tech sector lay money aside for these kinds of risks as an operating cost.”
Why refuse?
On the other end of the spectrum, government agencies generally are reluctant to pay ransomware demands because it’s politically untenable, Mr. Brooks says.
“In a case like ransomware, where it’s a very serious crime that involves straight-up extortion, I can’t imagine a world where government agencies are willing to pay demands,” he says. “The political cost of justifying it to various constituencies is just awful.”
Cities including Atlanta, Baltimore and New Orleans have suffered debilitating ransomware attacks in recent years and have refused to pay the demands. Last July, the U.S. Conference of Mayors passed a resolution calling on cities around the country to not give in to ransomware demands.
“The default for government is not to pay—no one wants to get hauled in front of Congress for paying,” says Mr. Brooks.
Mr. Janofsky is a writer in New York. He can be reached at reports@wsj.com.
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
"pay" - Google News
June 22, 2020 at 07:35AM
https://ift.tt/3eo5Q9x
Which Industries Are Most Likely to Pay Ransomware? - Wall Street Journal
"pay" - Google News
https://ift.tt/301s6zB
Bagikan Berita Ini
0 Response to "Which Industries Are Most Likely to Pay Ransomware? - Wall Street Journal"
Post a Comment