Companies that pay ransomware attackers get thumbs down from consumers

More than half of those surveyed by data management firm Cohesity said that companies that pay the ransom in an attack encourage ransomware and bad actors.

ransomware cybercrime

Image: Shutterstock/Vchal

One of the biggest questions faced by an organization hit by ransomware is whether to pay the ransom. Many do pay simply because they feel it's the quickest and easiest way of getting back to business. But that strategy is not one favored by many consumers, some of whom would avoid a company that's not only victimized by ransomware but ends up paying the ransom.

SEE: Ransomware: A cheat sheet for professionals (TechRepublic)  

Survey results released Monday by data management firm Cohesity reveal how consumers feel about organizations that suffer a ransomware attack. Commissioned by Cohesity and conducted by Propeller Insights in August 2021, the survey elicited responses from more than 1,000 U.S. consumers between the ages of 18 through 75, and older, all of whom have heard of ransomware.

Among the respondents, 81% said they were familiar with the recent ransomware attacks on Colonial Pipeline, JBS Holdings, Kaseya, SolarWinds and U.S. hospitals.

Some 22% said that a company with which they do business had been hit by ransomware, while 21% believe their own company had been hurt by an attack. Those surveyed pointed to government, financial services and insurance, oil and energy, healthcare and pharmaceutical, and technology as the top industries most vulnerable to ransomware.

Some 40% of the respondents, said they think that organizations hit by ransomware should not pay the ransom. More than half of those surveyed said that companies that do pay the ransom encourage more ransomware and cybercriminals. And 43% believe that ransom payments increase the prices consumers pay for goods and services.

An organization that pays a ransom risks a bad reputation with consumers. Some 23% of those surveyed said they'd stop doing business with a company that paid a ransom. Further 48% couldn't say whether or not they'd stop doing business but indicated this as a great concern and would give it a lot of thought.

SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic) 

Consumers naturally would lose confidence in a company impacted by ransomware for several reasons. Some 55% said they'd lose confidence due to the company's lack of proper security and data management. Some 54% would lose confidence if their own data were compromised. And 29% said they'd lose confidence if the attack entailed some inconvenience for them personally.

Further, 47% of those surveyed said they'd lose confidence if the company weren't forthcoming about the attack, while 22% would lose confidence if the company paid the ransom.

"Ransomware attacks are so prevalent that they are now part of our collective consciousness," Cohesity CISO Brian Spanswick said in a press release. "And our research indicates that when businesses pay the ransom, they run the risk of losing consumer confidence and prompting people to take their business elsewhere."

Consumers also believe organizations are failing to effectively combat ransomware attacks. Among the respondents, 42% said it was unlikely that companies are doing enough to protect their data. Toward that end, 61% said they feel companies should regularly test their systems for threats, and 59% said they should implement proper security software.

Some 47% believe companies should enable multi-factor authentication, while 39% think they should require stronger passwords. Finally, more than half said that organizations should adopt more advanced data management processes to better protect data and respond to potential threats.

"No organization is immune from ransomware attacks," Spanswick said. "But enterprises that implement modern security and next-gen data management strategies and can quickly recover if they are attacked—without having to pay the ransom—are the ones that will win favor with consumers over those that can't."

Also see