Should businesses negotiate with ransomware criminals? 

By David Trump, above, Cyber Security Director, BOM IT Solutions 

Since the beginning of 2023, household names such as Royal Mail, Arnold Clark, WH Smith and Uber have all fallen victim to cyber-attacks. The reality is, however, these are just a few of the high-profile names that make up thousands of UK businesses and organisations that have been targeted by cybercriminals in the first quarter of the year. 

Ransomware is one of the most common types of malwares used in cyber-attacks. These attacks involve cybercriminals blackmailing victims in order to extort large amounts of money from them, usually in exchange for stolen data being returned, unencrypted, or the promise that it won’t be released publicly. Other ransom threats also include locking organisations out of critical systems, causing untold disruption to customers and potentially leaving reputations in tatters. 

Last year one in four SMEs experienced a ransomware attack, and during the first half of 2022, there were 236.1 million of these types of attacks worldwide. The costs associated are eyewatering too. According to IBM’s 2022 report, the average ransom payment is $812,360, or £650,000. However, this is only part of the total cost. When taking into account disruption, downtime and loss of business, IBM puts the average cost per attack at $4.5 million, nearly £4 million. In the UK, businesses should note they will also be liable to fines from the ICO for breaching GDPR guidelines should they fall victim to an attack where data is stolen. This can be up to 4% of global revenue. 

It’s not all doom and gloom, however, and there may be some light at the end of the tunnel in how organisations are responding. While an ever-greater number of companies are being held to ransom, the amount of money cyber gangs are managing to extort from victims is in decline. 

The amount paid to cyber criminals last year totalled $456.8 million (£402million), down from $765.6 million (£675million) the year before – a decline of over $300 million (£264million) in 12 months. While underreporting of costs and breaches can be commonplace, these figures definitely indicate a downwards shift. 

There are potentially a multitude…