That it pays to invest in cybersecurity is a bare fact. Sometimes it takes little to prevent an attack. But practice shows that companies underestimate it. They assume that they are uninteresting to an attacker and thus become an easy target. This means they risk seeing a message on their device saying: ‘You’ve been hacked, pay the ransom or you won’t be able to access your data’. In a panic, paying seems to be the easiest, if not the only, way. However, this is a big MISTAKE!
Why never pay
Simply put: a cyber attacker is a common criminal, he doesn’t care about your data. He is only interested in your money. Counting on getting your data back is more than naive . “It is important to understand that attack code is not the product of any serious software company, which would go through the entire development cycle from design to testing. It’s just a piece of code that sort of works. The priority is to encrypt the data, nobody cares if it can decrypt it,” explains ethical hacker and cybersecurity expert GAMO Ľubomír Kopáček. Attackers like to use the tactic of decrypting part of the data so called for demonstration. “But this tactic is totally untrustworthy and says nothing. Another argument for not paying is that if you pay and don’t do a perfect “clean-up” of the compromised systems at the same time, you can count on the same incident happening again soon,” Kopáček continues.
These are simple and logical explanations. But there are also much bigger and more serious risks that victims may face.
Support for international terrorism
As a rule, attackers demand payment of ransom in the form of cryptocurrencies. These are the ideal means of payment for cyber criminals, as it is usually impossible to identify the recipient. There are known cases where they have been traced, but this can be considered a rarity.
The practical problem associated with paying in any cryptocurrency is how to get such a transaction into the accounting system. And thus how to legally use company money and pay the attacker. There is also the risk of a fine from the tax office, as you cannot prove what services you used the money for. Moreover, buying cryptocurrencies is not exactly a simple process. There are more limits than meets the eye. For example, if the attacker sets the ransom at 110 thousand euros.
“First you need to secure a cryptocurrency wallet, which is usually the least of your problems. You just need it in the form of a mobile phone app. The first limit you’ll run into is the credit card limit when buying cryptocurrencies. You can’t buy such an amount in one go in an official way ,” says Ľubomír Kopáček. You can only buy it gradually in smaller amounts. At the same time, you still have to hope for a good exchange rate and count on transaction fees. “At 110 thousand, you would pay another 12 to 20 thousand euros in transaction fees. High amounts in terms of implementation and costs are a very big problem,” he adds.
To report or not to report an incident
It is certainly prudent to report the incident. If the victim of an attack is regulated by the Cybersecurity Act and the incident is assessed as serious, there is even a legal obligation to do so. Experts also recommend filing a criminal report, as it is useful to have an official record of the whole matter for possible further problems with other authorities (tax office, social security, health insurance, etc.). “Remaining silent during an incident is not only unwise, it is also illegal in most civilised countries and could cost society more money. I understand that companies see sharing information about an incident as a potential reputational risk, but not sharing information can in turn cause even more problems for companies if, for example, the incident becomes known to the public, so to speak, accidentally,” reminds IT expert GAMO.
Depending on the sector in which a company or organisation operates, it may be regulated by different legislation which, among other things, prescribes how to deal with cyber security incidents. In certain sectors, several laws and decrees even operate simultaneously. In particular, the Cybersecurity Act on Administrative Offences can impose a fine of between EUR 300 and 300 thousand for negligence in relation to a security incident (failure to report or deal with it). The incident itself is not a reason for imposing a fine, but the negligence in dealing with it is.
It is important to say here that, on the part of the State or the European Union, which may impose a fine, the amount should in no way be liquidated, but should be proportionate. However, the cyber-attacker is not concerned with the question of whether his attack will put you in existential danger.
Why file a criminal complaint
In all cases, the attacker will warn you not to contact the police or a third party during the attack. However, if you cannot use your systems and workstations, you can expect penalties and fines for delay from the authorities. Whether from the social security office or the tax office, and for these you have to prove something that the act happened.
For example, you would do the same if someone broke down the gate in front of your house. You would call the police to show your insurance company a record of the incident.
So paying a striker is definitely not a good way to go. All pitfalls can be avoided by proper prevention and investing in the protection of information systems.
