Ethics for ransomware: To pay or not to pay?

Cyberattacks challenge all organizations. Ransomware attacks continue to be a mainline threat, with 60% of surveyed organizations reporting a business disruption in the last 12 months due to ransomware, according to  IDC’s What Do Four Recurring Surveys Tell Us About Trends in Ransomware Incidents?

As the criminals have become more sophisticated in their attacks, organizations must become more prepared in their response. Any CIO or CISO facing a ransomware attack will be engulfed in the challenges of responding to the urgency of the moment. A key question will be this: Should we pay the ransom or not? This can be an ethical dilemma because on one hand the organization simply wants to get back online, back to business as soon as possible by paying the ransom, and on the other hand paying anonymous criminals with a minimal chance of protecting your data seems like an unnecessary capitulation. Here is a five-step framework to sort through this ethical dilemma.

Five steps to respond ethically to a ransomware attack

Abide by applicable data privacy laws

First, you must know and obey the data privacy laws, which will depend on where your organization operates and where the attack has occurred. For example, stricter legal structures for personal data privacy in Europe (GDPR) and California (CCPA) will require more attention. All countries and most states will have a set of regulations that must be followed in the event of a data privacy breach, and most of the regulations are constantly being upgraded. Your knowledge of the legal requirements must be current; it will be too late to learn during the attack and recovery.

Get professional advice

Second, you must get professional advice on several fronts. This includes legal advice regarding the applicable laws and regulations as well as advice from appropriate police services in responding to this crime. Although ransom payments are not illegal, payments to organizations sanctioned by governments, such as terrorist groups, are illegal. You will need negotiating support from professionals, often provided through cyberinsurance policies. Of course, advice on communication within and outside of your organization will be required. Lastly, technical advice on how, or if, damage from the attack can repaired will be important. You should always have a list of advisors ready and current.

Consider the implications of ransom payment

Third, you must understand both the moral issues related to ransom payments (which may be seen as funding criminal activities) and how this will align with your corporate and professional code of conduct. Ransom payments may expedite recovery of critical information systems so that the business can quickly resume operation but may also be embarrassingly expensive. If the attack threatens the ongoing operation of the organization, there may be few alternatives. Advisors should provide information on the likelihood of recovering information even if the ransom is paid. IDC research has found that 52% of organizations pay the ransom when attacked (Ransomware 2024: If We Have Backups, Why Are We Still Paying a Ransom?). However, for those organizations that did pay, approximately one-quarter did not completely recover their encrypted data (Ransomware 2024 by Market Vertical: Paying the Ransom Does Not Guarantee That You Will See Your Data Again).

Understand how stakeholders will be impacted

Fourth, you must consider all stakeholders that will be affected by the decision you are about to make. For public organizations such as a school, hospital, or library, ransoms paid imply that funds for the organization’s mission will be diminished and those who rely on that organization will see lower service or capability. On the other hand, shareholders and owners who see the value of the organization diminish while it responds to the attack will expect a timely response and business resumption in a cost-benefit manner. Workers who are idled during the attack will be concerned about their income and job. Who are the key stakeholders and how will you respond to their concerns?

Recommend a plan of action to CEO and board

Fifth and last, you should never decide alone. In many organizations, this decision will be made at an executive (e.g., CEO) or board level. Your role as an IT leader will be to gather accurate and timely information, integrate advice from professionals, and recommend a plan of action with a level of associated risk. Your own personal ethical and moral standards will be tested; the decision may become attached to you, so be prepared to defend your recommendation.

Expect an attack; be prepared

No CIO or CISO welcomes a ransomware attack. No CIO or CISO should expect to remain unaffected by this global threat; therefore, must be prepared. When you are responding with “all hands on deck” it will be too late to define a ransomware response that will be both pragmatic and ethical.

Learn more about IDC’s research for technology leaders.

International Data Corporation (IDC) is the premier global provider of market intelligence, advisory services, and events for the technology markets. IDC is a wholly owned subsidiary of International Data Group (IDG Inc.), the world’s leading tech media, data, and marketing services company. Recently voted Analyst Firm of the Year for the third consecutive time, IDC’s Technology Leader Solutions provide you with expert guidance backed by our industry-leading research and advisory services, robust leadership and development programs, and best-in-class benchmarking and sourcing intelligence data from the industry’s most experienced advisors. Contact us today to learn more.

Dr. Ron Babin, an adjunct research advisor for IDC, is a senior management consultant and professor who specializes in outsourcing and IT management (ITM) issues. Dr. Babin is a professor in IT management at the Ted Rogers School of Management at Ryerson University in Toronto, as well as its director of Corporate and Executive Education.

Babin has extensive experience as a senior management consultant at two global consulting firms. As a partner at Accenture, and prior to that at KPMG, he was responsible for IT management and strategy practices in Toronto. While at KPMG, he was a member of the Nolan Norton consulting group. His consulting activities focus on helping client executives improve the business value delivered by IT within their organizations. In his more than 20 years as a management consultant, Babin has worked with dozens of clients in most industry sectors, mainly in North America and Europe. Currently, Babin’s research is focused on outsourcing, with particular attention to the vendor/client relationship and social responsibility. He has written several papers and a book on these topics.