Would You Pay a Hacker’s Ransom? Research Shows 69% of Retailers Did
For years, cybersecurity experts have debated whether companies should pay hackers’ ransoms. Some experts pointed to the expediency of handing over the ransom — it can be less expensive to pay than to spend time and money getting systems back up and running. However, the overwhelming majority argued that paying the ransom encouraged more attacks.
Regardless of what experts suggest, executives are paying.
My firm recently released new research which revealed that 53 percent of executives from a broad range of industries paid a hacker’s ransom following a cyberattack. This marks the first time more executives have reported paying than not since the survey began five years ago. In retail, the percentage is even higher. More than two-thirds (69 percent) of executives reported a payoff.
This willingness of executives to pay ransoms and mitigate system shutdowns underscores just how important it is for retailers to maintain constant network availability and secure customer data. Fifty-eight percent of executives say customer loss after a cyberattack is their top fear, and paying the ransom is potentially one way to minimize fallout. Now more than ever before, customers expect retailers to keep their information safe, and companies that can’t face eroding years of trust.
Compared to other industries like financial services, retailers face more attacks that attract the attention of executives each year; over a 12-month period, executives at the typical retailer said they experienced approximately 19 attacks. Nearly two-thirds of retailers are attacked at least once a month. For financial services companies, that number was about nine major attacks per year.
In preparation for inevitable attacks, retailers have adopted a pair of important security tools to a degree their peers in other industries have not. Retailers are more likely to rely on state-of-the-art technology, like web application firewalls and application delivery controllers. Nearly half of retail executives said they used either one or the other, compared to 41 percent of financial services companies. While those stats might paint a picture of a proactive security posture, retailers were more likely than other industries to say a hacker could penetrate their network. They still have a long way to go.
As retailers improve their overall offerings and the customer experience, they build increasingly complex networks that do everything from track customer buying habits, set prices, analyze the success of marketing campaigns, manage inventory, and more. Today, many of these activities take place in the cloud. In fact, almost two-thirds of retailers hold half or more of their data in a cloud. While cloud environments can make companies more agile, cloud platforms often don’t have uniform security policies, leading to security gaps throughout the network and creating vulnerabilities for hackers to exploit.
As retailers continue to expand their use of IT solutions, increasing network complexity, the number of illicit entry points into their systems will rise. When retailers improve their technology to enhance customer experience, executives should arrange the same for their cybersecurity. Better defenses will reduce the need for executives to make that hard decision between system availability and paying a hacker’s ransom, and will help assuage one of their greatest cyberattack fears: customer loss.
Mike O’Malley is the vice president of marketing at Radware, a position to which he brings 20 years of experience in strategy, product and business development, marketing, M&A, and executive management.
Related story: How Retailers Can Keep Customers and Companies Secure