Only If Human Lives Are In Jeopardy
Telling organizations to never pay a ransom is naïve if such a refusal puts human lives in jeopardy, which would often be the case for health-care and critical infrastructure companies, according to Secureworks Chief Product Officer Steve Fulton. Every hour that a hospital is unable to access its IT systems or internet-enabled medical equipment increases the likelihood of a patient death, Fulton said.
Decisions about whether or not to pay a ransom should consider the severity of the cyberattack, the industry the victim organization is in, how long it would take to mitigate with and without a decryption key, and the specifics of the company that was compromised, Fulton said. Ransom talks usually start at a very large number, but Fulton said victims are typically able to negotiate themselves a step discount.