Security fail? One in three companies think paying hackers is worth the risk

Too many companies are taking a short term view when it comes to security.
Written by Danny Palmer, Senior Writer

A third of organisations would consider paying a ransom to hackers instead of investing more in security, a survey has claimed.

For some organisations it seems splashing out on cyber security products or training is viewed as investing in something which might actually never be needed, so some are choosing to invest elsewhere.

Decision makers at organisations around the world were asked if they would consider paying a ransom by a hacker rather than invest in security because it's cheaper.

On average of a third said that yes, they would do this, while an additional 16 percent said they didn't know what they'd do, according to the research by security company NTT Security, which examined business attitudes to risk and the value of information security.

Organisations in Norway, France, Germany and Austria are most likely to give into a ransom over investing in security, with 40 percent of firms stating they'd consider taking this approach.

Just over a third (35 percent) of US firms said they'd consider taking this action, while the country with the fewest number of organisations which would consider paying a ransom to hackers is the UK -- although one in five still represents a significant proportion.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

This research comes despite high-profile ransomware attacks like WannaCry and NotPetya, which demonstrated how organisations can be vulnerable to cyber attacks -- especially those that put off or don't budget for upgrading and securing computers on the network.

"While it's encouraging that many organisations are prepared to take a long-term, proactive stance, there are still signs that many are still prepared to take a short-term, reactive approach to security in order to drive down costs," said Kai Grunwitz, senior VP for EMEA at NTT Security.

Those taking a 'wait-and-see' approach to cyber security are taking risks on a number of levels, not least because it does leave them open to attacks, particularly those like WannaCry which take advantage of known vulnerabilities.

Then there's the obvious risk to paying off hackers: there's no guarantee the criminals will hold up their end of the bargain, so an organisation could give into the demands of hackers, only to find that they're still left with ransomware or other malware on their network -- and it's entirely possible attackers could come back to cause more damage to what they view as an easy target.

Given how some of the highest percentages of organisations who'd consider paying hackers rather than investing in security are based in Europe, there's another issue that could end up creating big challenges for these organisations -- especially if the hackers manage to breach the network and steal personal data: GDPR.

Under the recently enacted European Union legislation, any organisation found to have not disclosed a data breach could find themselves on the receiving end of a very large fine -- and the reputational damage that comes with being known to have been careless with customer data.


Editorial standards