Ransomware: Consumers would hold CEOs personally responsible for attacks

Some people believe the CEO of a company hit by ransomware should pay a fine, resign, or even be sent to prison, says Veritas.

istock-1224148772-1.jpg

Image: Vitalii Gulenok, Getty Images/iStockPhoto

A successful ransomware attack can hurt an organization in a variety of ways. Beyond the loss of sensitive data and the financial costs, an organization's reputation and trust among the public can quickly sour. And when seeking someone specific to blame for the loss of their personal data, many consumers are likely to go straight to the top. A report released Monday by data protection firm Veritas illustrates how the buck stops at the CEO.

SEE: Security Awareness and Training policy (TechRepublic Premium) 

Based on a survey of 12,000 consumers across six different countries, the Veritas report found that 40% of consumers would hold CEOs personally responsible for ransomware breaches.

Drilling down, 34% would want the CEO to pay a fine, 29% would demand that the CEO be banned from running a company in the future, and 29% would even demand a prison sentence for the CEO. Some 27% would want the CEO to resign, 25% would want the CEO to take a pay cut or be demoted, and 24% would want a public apology.

How organizations should handle ransomware threats is a matter of some inconsistency among consumers. A full 71% of respondents said that hacked companies should stand up to cybercriminals and refuse to pay the ransom. However, when their own personal data is at risk, the sentiment among consumers changes. In this case, some 55% of those surveyed said they would want organizations to pay the ransom to enable the return of their sensitive records. To retrieve data held hostage, consumers feel that $1,167 is the average ransomware price that organizations should pay per affected person.

SEE: Security Awareness and Training policy (TechRepublic Premium)

Falling prey to a ransomware attack can have severe repercussions. Among the respondents, 65% said they would demand compensation from the company if their data could not be restored. Some 44% said they'd stop using the company's services regardless of the outcome.

"It may seem that businesses are in an impossible situation with consumers telling them both to pay--and not to pay--ransoms," Simon Jelley, vice president of product management at Veritas Technologies, said in a press release. "However, what we, as customers, are really saying is that we want businesses to escape the dilemma by avoiding the situation in the first place. Consumers expect businesses to have the technology in place to restore their data without negotiating."

To protect consumer data from ransomware attacks, 79% of the respondents said they expect companies to implement security software. Some 62% also expect organizations to have backup copies of their data.

SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)

"As consumers, we are increasingly well-educated about ransomware, so we're unforgiving of businesses that don't take it as seriously as we do ourselves," Jelley said. "The two most essential things that businesses should have in place, according to their customers, are protection software and backup copies of their data. Now, it seems, if businesses don't get these basics right, consumers are ready to punish their leadership."

To compile the report, Veritas interviewed 2,000 consumers in each of six different countries in April 2020, specifically China, France, Germany, Japan, the UK, and the US, for a total of 12,000 adults older than 18.

Also see