Boards’ dilemma on ransomware

Boards’ dilemma on ransomware

To pay or not to pay? When it comes to the growing threat of ransomware, board members need to be clear on how their organisation’s data and IT infrastructure is being protected, writes Professor Kamal Bechkoum, head of the School of Business and Technology at the University of Gloucestershire

Ransomware is one of the most debilitating forms of cyber-attack, often catching companies unaware and ultimately causing them long-term financial and reputational harm. Unfortunately, in 2019 there has been a massive upsurge in large companies being targeted.

In one recent example a virus hit Johannesburg’s City Power, the primary electricity supplier for South Africa’s economic hub, encrypting all of its databases, applications and network. In another Norsk Hydro announced that it is facing a price tag of £75m after recovering from a ransomware attack that froze staff computers and halted production lines.

Once ransomware takes hold of a single device entire networks can quickly become infected. Just one click is all that’s needed for confidential information and other crucial aspects of a company’s operations to be made inaccessible.

Ransomware will often make its way onto a system as a malicious weblink or email attachment. If a network is not properly protected an entire organisations IT infrastructure will end up becoming infected.

There are two main types of ransomware: crypto and locker. If an illegitimate application is opened crypto-ransomware will seek to encrypt all of the files, folders and hard drives, promising to reinstate data only after a ransom has been paid. As the name suggests, locker-ransomware poses a similar threat by locking users out of devices and systems.

In the face of these developments, boards cannot afford to be complacent over organisational security strategies.

Top teams should have a detailed view of what the impact of a breach will be and understand who will take the lead if service as normal is interrupted. They should also be prepared to lead long-term strategic planning to protect operations against this continually-evolving threat.

One of the biggest challenges to confront is the ethical dilemma of whether an organisation should pay a ransom or not? This is no easy decision. Average ransom amounts are currently in the region of around £10,000, often with a 24-hour countdown attached to them before all data or access is irretrievably lost.

This means the board debate over whether to pay needs to be had long before an IT network is held hostage.

At the same time transparency can be vital. Business leaders need to prioritise security while insisting that all frontline employees do the same. People are inevitably the weakest link in cybersecurity and so they need to know when there has been a breach, what action is being taken and how their work will be impacted.

Cybersecurity cannot be solved by simply buying in more technology as a quick fix. It is about taking a strategic approach to budget allocation and decision-making that delivers genuine improvement.

Be prepared to ask the difficult questions of your IT team. If they believe they have the necessary expertise and software to deal with any ransomware threat, then put this to the test. Bring in a third-party company that is fully-qualified and capable of pushing process and practise with an unannounced attack.

A culture of security should be fostered throughout the workplace. Staff need to be educated and trained to keep software applications and systems updated; backup files regularly; and segment networks to ensure sensitive data is only accessible as necessary.

The ideal organisational culture sees managers and staff taking a second-nature approach to keeping information safe and viewing security as a positive force. This necessitates a check-list that boards can become familiar with and adhere to as part of their regular order of business.


f the organisation falls victim to cybercrime it is vitaL to act quickly. Wherever possible, ensure that the incident is contained while the business continues to operate. Then, prepare to notify all relevant stakeholders, including insurers, regulators, lawyers, the police and clients as is necessary and practicable.

Training should prepare board members for ‘what if?’ scenarios along with clear roles and responsibilities in case of a cyber-attack. How will an organisation respond to its networks being compromised or customers being unable to access online services?

These issues should be a standing agenda item at board meetings, if only to confirm that no changes are needed since the previous review.

The threat landscape is constantly moving and, while it may be unrealistic to ask executives to follow the details of every twist and turn that happens, they can encourage IT Managers or the COO to join external organisations and forums where information and good practice is shared. This can be used to provide regular updates that are specifically prepared for the executive.

Develop a corporate ransomware policy and turn the strategic principles agreed by the board into a working tactical plan.

Worryingly, research shows that one-third of companies believe that it has become more cost-effective for them to simply pay a ransom than invest in proper security systems and training.

Unfortunately this creates a catch-22 where businesses continue to pay, and ransomware grows as a popular money-making tactic for criminals and only encourages the problem further. It is up to boards to decide where the line will be drawn.

This article first appeared in ‘Board Agenda’ magazine