Cybercrime Study: 30 Percent of IT Security Pros Would Pay Ransom for Data Return

One in three IT security professionals advocate that organizations negotiate with cybercriminals for the safe return of stolen data or encrypted documents, according to a new study.

The study, conducted last month by Opinion Matters for security provider ThreatTrack Security in a blind survey of some 250 security professionals at U.S.-based companies of 500 to 2,500 employees, addresses the issue of cybercrime extortion, or a demand for “payment or any action or change of behavior…in exchange for stolen or encrypted data, including encryption keys for ransomware infections.”

Although 70 percent of IT security professionals in the survey didn’t support paying a ransom to cyber criminals for the return of stolen data, 86 percent said they knew of others who had made deals with e-crooks. Some 40 percent said they work at an organization that had been targeted by data extortion criminals with more than half of those businesses willing to negotiate.

“ThreatTrack research reveals a surprising number of security pros would concede to cybercriminal demands to avoid the consequences of data compromise, loss or misappropriation,” said Stuart Itkin, ThreatTrack senior vice president.

“Whether data is stolen by sophisticated Advanced Persistent Threats (APTs) or targeted attacks, or lost due to ransomware infection, enterprises need to reevaluate their cybersecurity strategies to incorporate the latest advanced threat defenses and become obsessive about backing up their data,” he said.

Here are some additional top line data findings from the study:

• 92 percent of healthcare and 80 percent of financial services security specialists would not negotiate with cyber extortionists
• 23 percent of survey participants said companies should set money aside funds to negotiate with cyber crooks threatening to steal, encrypt or threaten to sell their data
• 66 percent worry about negative reactions from customers and/or employees whose data was compromised if they learned their organization chose not to negotiate with cybercriminals for its return after a breach was disclosed
• 59 percent said cybersecurity insurance firms should offer policies to provide companies with a third party to negotiate on their behalf for the return of their data
• 30 percent said they are not a likely target because “Our company does not have a high enough profile” and/or “Our data is not valuable enough to steal”

“Rapid detection and elimination of threats, and the ability to restore encrypted data, will neutralize the incentives that are driving cybercrime extortion and help ensure security professionals will not have to face this difficult choice,” Itkin said.

The full results of the study can be found in ThreatTrack’s report entitled “Negotiating with Cybercriminals.”