A new study has revealed that almost half (47%) of UK IT directors would ‘definitely’ be willing to pay a ransom fee to hackers who stole their company data, rather than report a breach to the authorities and pay a larger penalty under the EU General Data Protection Regulation (GDPR).
The research, commissioned by Sophos, show a further 30% of UK IT leaders said they would ‘possibly’ consider paying the criminals’ ransom if it was lower than the possible penalty for a breach. Only one in five (18%) respondents completely ruled out paying off their attackers.
Small businesses were least likely to consider paying a ransomware demand
● More than half (54%) of IT directors at UK companies with fewer than 250 employees ruled out paying their attackers
● Just 11% of directors at companies with 500 – 750 employees said they would opt for this approach
UK IT directors are significantly more likely to pay than their counterparts in other Western European countries
● Of the five European countries studied, Irish IT directors were the least likely to pay. Just 19% said they’d ‘definitely’ be willing pay a ransom over a larger fine
● IT directors in France, Belgium and the Netherlands were also less likely to pay a ransom. 33% of respondents in France, 24% of those in Belgium and 38% of IT directors from the Netherlands said they’d ‘definitely’ be willing to pay
UK IT directors are the most confident that they are compliant with GDPR
● The research also showed that 46% of UK IT directors were confident that their organisations are fully compliant with GDPR rules
● This is more than the number of IT directors in the Netherlands (44%), France (37%), the Republic of Ireland (35%) and Belgium (30%) who were confident their organisations were fully compliant
● Just 13% of UK IT directors said they had tools in place to prove compliance in the event of a breach. Organisations in the Netherlands (27%), France (24%) and Belgium (20%) said they were slightly better prepared in this regard
Cloud services are a popular option for managing risk in data protection
● 67% of UK IT directors said they had increased their use of cloud computing as a direct result of GDPR
Adam Bradley, UK managing director at Sophos, said: “It is concerning to learn that so many UK IT leaders misunderstand the threat and consequences of even a minor data breach. Companies that pay a ransom might regain access to their data, but it’s far from guaranteed and a false economy if they do it to avoid a penalty. They still need to report the breach to the authorities and would face a significantly larger fine if they don’t report it promptly.”
‘It is surprising that large companies appear to be those most likely to pay a ransom. It is a mistake for companies of any size to trust hackers, or to expect that they’ll simply hand the data back. Our advice? Don’t pay the ransom, do tell the authorities promptly and make sure you take steps to minimise the chances of falling victim again.
“The best way to avoid paying is to stay one step ahead of the cybercriminals. Hackers tend to rely on phishing emails, unpatched software and remote access portals to gain access, so make sure your systems and people are able to spot the signs of attacks. Patch early and patch often, and secure remote access points with proper passwords and multi-factor authentication.”
Sapio Research interviewed 906 IT directors and managers about their experiences of cybercrime and approaches to cyber security. The interviews were conducted online, primarily with IT decision makers working in companies with between 240 and 750 employees in Belgium, France, Ireland, Netherlands, UK and the Republic of Ireland.