A recent study has shown that consumers have double standards about paying off hackers, but many held the CEO accountable.

Consumers believed businesses should stand up to ransomware hackers and refuse to pay. However, in the event that the consumer’s own personal data is compromised in an attack, they appeared to have a change of heart.

In a recent global survey of 12,000 respondents by Veritas Technologies, 71% wanted businesses to stand up to hackers unless their own data was involved, in which case, they expected their supplier to surrender to those criminals an average of US$1,167 per user, depending on the nature of the data.

Personal finances$1,687
Child’s data$1,587
Government records$1,491
Medical records$1,344
Personal cloud data$1,336
User credentials$1,128
Customer records$959
Social media$886
Basic personal data$886
Dating profile / messages$873
Playlists / video streaming information$761

Additionally, nearly two-thirds (65%) thought they should be personally compensated if the company still cannot retrieve the information that has been stolen.

With recent high-profile hacks reportedly breaching hundreds of thousands of users’ records, the expectation from users would be for the supplier to pay hundreds of millions of dollars in the hope that their data is returned. This is on top of the cost to businesses of downtime, brand reputation and customer trust.

Simon Jelley, VP product management at Veritas, said: “Whilst it may initially seem like businesses can’t win regardless of whether they pay or not, they are actually getting a clear message from consumers: people want their providers to escape the dilemma of whether to pay, or not to pay, by avoiding the situation in the first place. Our research shows that, if businesses want to please their customers, they need to prepare for an attack and be ready to recover from it—so, if the worst happens, they have tried-and-tested recovery procedures in place and there’s no need to pay out.”

Survey responses about how businesses should prepare seem to indicate this. The two most essential things that consumers said businesses should have in place are protection software (79%) and backup copies of their data (62%). Businesses that have adopted these technologies are generally considered better able to respond to ransomware attacks since they can normally either prevent an attack, or safely restore their data without needing to pay the attackers’ demands.

Jelley, continued: “In the past, ransomware was something that only affected a few unlucky people who were forced to pay a couple of hundred dollars to regain access to their locked-out laptops. Nowadays, it’s a multibillion-dollar-a-year industry, as cyber criminals increasingly target vulnerable organizations. The costs don’t stop with the ransom pay-out; our survey also showed that people want to see fines and compensation too.”

On top of this, there is the huge cost of getting a business back on track with downtime, loss of production, and challenges to deliver or bill for products. As a result, Jelley said, global ransomware damage costs are estimated to exceed USD$11.5 billion annually this year, and “this does not take into account the cost of reputational damage to a company’s brand.”

The real cost of ransomware

The findings above come from a global piece of research, which asked consumers in China, France, Germany, Japan, United Kingdom and United States what they thought about the issue of ransomware.

The survey showed that as many as 40% of consumers held the leader of the organization personally responsible for the attack of these:

  • Nearly a quarter (23%) said the CEO should face a prison sentence
  • Nearly one in three (30%) said the CEO should be banned from running companies in the future
  • Over one in three (35%) said the CEO should pay a fine
  • Over a quarter (27%) said the CEO should resign
  • A quarter (25%) said the CEO should take a pay cut or be demoted
  • And over two-fifths (42%) said the CEO should publicly apologize 

On the topic of whether to pay up or not, Jelley concluded: “We agree with the public when it comes to not paying the ransom. Paying a ransom can often propagate the problem and provide attackers with more resources to continue developing more frequent and more advanced attacks. Plus, attackers will typically leave vulnerabilities in the devices of those businesses that have paid up, enabling them to come back again for recurring revenues.”

And, whether companies choose to pay the extortion or not, the real cost of ransomware is downtime, lost productivity and reputational damage, he said. “We believe it’s far better then, to have tried-and-tested data protection solution in place before the hackers come with their demands.”