MIT SMR Strategy Forum
Last week, ahead of the Thanksgiving holiday in the United States, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory urging organizations to take precautions and prepare for possible ransomware attacks. As CISA director Jen Easterly put it, “We know that threat actors don’t take holidays.”
In fact, weekends and holidays are prime targets for cybercriminals. Over the Fourth of July weekend in 2021, Kaseya, a U.S.-based software company, suffered a supply chain ransomware attack that affected as many as 1,500 businesses.
Ransomware attacks — a type of cyberattack in which hackers use malicious software to seize and block access to computer systems and data until a ransom is paid — have increased dramatically since the beginning of the pandemic. Alarmingly, the amount paid by victims increased more than 300% in 2020, totaling roughly $350 million. The rise in attacks can be linked to several factors: more widespread use of remote networks during the COVID-19 pandemic, hackers becoming more sophisticated in their approaches, and the growth of cryptocurrency, which allows ransom payments to be made more easily.
Kaseya did not pay the $70 million demanded by ransomware operator REvil this past summer, but many other companies have weighed the decision and come out on the opposite side — paying to get their systems back online. When Colonial Pipeline, one of the largest oil pipeline operators in the United States, paid $4.4 million in bitcoin to cybercrime group DarkSide in May 2021, CEO Joseph Blount remarked that the decision was a difficult one but ultimately “the right thing to do for the country.”
In the current threat landscape, preparing for cyberattacks and building resilience against hackers must become part of a company’s infrastructure. But what should an organization do in the case of an attack when its own systems and data are on the line?
In this month’s MIT Sloan Management Review Strategy Forum, we put the topic to our panel of strategy experts, asking them to respond to the following statement: When hackers take data hostage, companies should pay the ransom.
The upshot: Nearly three-quarters of respondents (73%) disagree or strongly disagree that companies should pay up. But most are quick to note that it’s not a simple question. As Ivan Png notes, “Data hacks present a collective action problem. Each individual victim would rather pay up and recover their data. But each ransom feeds the hackers and aggravates the problem for all.”
Richard Holden and Monika Schnitzer both raise the issue of coordination: How can companies credibly commit and coordinate between themselves to not pay and thus disincentivize hackers? Schnitzer points to one promising solution: “Condition the penalty on the amount of ransom asked for and collected, and make sure the hackers are caught.”
“Paying the ransom would likely encourage future attacks. Moreover, once the data are compromised, there is no guarantee that the data will not be misused. Rather, companies should have protocols in place to respond to the incident (e.g., by taking measures to mitigate any harmful use of the data). Importantly, companies should be proactive and take effective measures to prevent data hacking in the first place.”
Unsurprisingly, many who disagree with paying point out the need to discourage criminals from carrying out more attacks. Others who disagree also note that companies should focus more on preventing attacks and investing money in strengthening security measures.
“The most obvious point is that companies today need to proactively invest in ensuring that their data is not being taken hostage — at least since Sony, it has been clear how vulnerable corporates are. And, I think that large corporates have a responsibility to overcome this challenge (and paying the ransom only exacerbates the problem going forward). However, for a midsized corporate or startup (or municipal government), I can understand how they might be hacked and also why they might end up paying.”
MIT Sloan School of Management
Neither Agree nor Disagree
In the middle, 15% of respondents cite various factors that make it difficult to decisively agree or disagree on the issue. As Anita McGahan writes, “The circumstances are critical in discerning the best approach, which depends on the nature of the data, the nature of the breach, the risks of disclosure, the level of redundancy, and a zillion other factors."
Examining both sides of the issue, Nicolai Foss points out that “from an ethics perspective, they should not pay; however, not paying may threaten the survival of the business.” Rather than forbidding the practice of paying ransoms after attacks (something that has not been formalized in law, though two other panelists point to a unique Italian law forbidding the families of victims of kidnapping from paying ransom), Foss suggests that a “long-run solution is to impose greater costs on the perpetrators, not the victims — harsher punishment, more deterrence and prevention.”
Neither agree nor disagree
“It is for the benefit of society that no one pays ransom so that ‘pirates’ find it unprofitable to engage in this behavior. However, each business must take into account its own bottom line, and that may be best served by paying the ransom. It's a sad but understandable tension between the social good and the private good.”
University of California, Berkeley
Twelve percent of panelists either agree or strongly agree that companies should pay the ransom, noting reasons of moral hazard, getting over the immediate crisis, and the growing importance of data as a competitive advantage as contributing factors.
As Tobias Kretschmer points out, “Assuming it is consumer (or any third parties’) data, companies have a duty of care vis-à-vis their partners. Hackers then represent a security risk like any other, which ultimately lies within the companies’ responsibility.” Joshua Gans notes the likelihood of others being hacked if individual companies pay, but also points out that this speaks to a broader policy question as opposed to the strategic objective of the company to solve the problem and move on to investing in prevention.
“If it will solve the problem, it makes sense for them to do it, get over the immediate crisis, and then invest heavily to stop it [from] happening again. Sure, that makes it more likely others will be hacked, but that is a broader policy question. These days companies with critical systems online now have to spend [money] on security. Add that to the list of expenses caused by crime.”
Rotman School of Management
The bottom line: Ransomware is an unfortunate reality of the modern digital era, and all companies must take measures to identify, mitigate, and prevent these attacks. It takes upfront investment and a proactive approach, but it might just save you from having to make a terrible decision — and shell out lots of money — down the road.