Light Dark
June 4, 2021 By Lysa Myers 3 min read
Incident Response
Security Services

A ransomware attack can hurt employee morale in unique ways compared to other types of attacks. Depending on how the company reacts, employee morale can drop, and security teams become less effective. While recovering from any malware incident can cost a significant amount of money, too many companies respond to ransomware by funding threat actors directly. There are many reasons not to pay a ransom. And too few organizations consider the cost of the psychological impact of paying.

The Cost of a Breach Versus a Ransomware Attack

According to the 2020 Costs of a Data Breach Report, the direct costs for ransomware are already higher than average for attacks. Many of us are aware of how breaches that affect our customers’ personally identifiable information (PII) can cost more in terms of damage to our reputations. We may not be thinking about how security incidents affect the people providing our security.

If a breach that impacts customers occurs, typically the company will respond with a huge investment to improve the company’s security posture. Affected businesses usually hire a lot more security talent. They’ll often purchase new security tools, too. And, companies shift strategies from being mostly reactive to a more proactive approach. For a security practitioner who makes it through a major incident, this change can feel like a huge relief. Money spent in the wake of a breach can go into fixing problems.

But, this is not always how things progress in the case of a ransomware attack.

Paying Criminals Costs More Than Money

Breaches and other security incidents certainly frustrate workers. But the nature of ransomware attacks can make a huge difference in how they affect morale.

Attacks that happen because of an unforeseen or rare issue are certainly unpleasant. But security practitioners face a whole different suite of frustrations if they’re trying to react to incidents rather than fighting them proactively. Likewise, morale can drop if company leaders don’t listen to employees’ warnings and then the exact issue they were warned about comes to pass. What hurts worst is when companies respond by rewarding attackers with money rather than spending that money to support workers doing their job well in the first place.

There can be other penalties for paying ransoms, too. Many security folks are keenly aware that ransomware gangs have been tied to nation-state threat actors. Ransomware payments can be used to fund actions that are harmful to national security. To combat this, the U.S. government is starting to crack down on consulting companies that help businesses pay ransoms. The U.S. Treasury’s Office of Foreign Assets Control recently warned that these companies could be prosecuted for paying ransoms even if they didn’t know that the attackers were sanctioned.

Being Reactive to a Ransomware Attack Hurts Morale

Let’s return to that idea of being reactionary. According to a survey by Sophos, a common thread among malware victims is that IT managers in affected organizations tend to focus less on prevention, and more on detection and response. This reactive approach can lead to lower morale among security experts who are not able to get ahead of new threats. It can also lead to managers having less trust in the abilities of their team. Reacting to incidents after the fact rather than preventing them certainly does not show anyone in their best light.

Teams who are constantly in a state of mopping up after incidents, rather than preventing them, are a very hard sell in a tight job market. These companies will have a very hard time attracting and retaining talent.

Paying rather than preventing ransomware attacks also puts you at a far greater risk of further incidents. According to a survey by Druva, half of all ransomware attack victims will be hit again. This is partly because threat actors mark these companies as ‘an easy mark’. It’s also likely that the affected companies have not fully addressed the issues that allowed them to be attacked in the first place. Companies hit by ransomware attacks may be less focused on the damage to their reputation than those hit by other breaches. Therefore, they’re less likely to make major efforts to fix issues.

It’s not hard to imagine why this would have a demoralizing effect on employees. Companies need to think about more than money when deciding whether to pay ransoms. They need to consider the cost in terms of the ongoing effectiveness of their security teams, as well.

 |  | 
Lysa Myers

More from Incident Response
October 6, 2023

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

September 27, 2023

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

August 31, 2023

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature