Why companies are becoming more likely to pay when struck by ransomware

A study found that cybersecurity insurance is making companies more likely to pay up when confronted by a ransomware attack.

Pile of money

A quarter of companies have made their mind up when it comes to a ransomware attack. They're paying the ransom, according to a new study.

Twenty-four percent of companies say they would pay. And not only would they cough-up the money, but 14% of the polled would pay $1 million or more to prevent the attack, according to findings by the Cloud Security Alliance (CSA) and Skyhigh, who have compiled the study. The CSA is a non-profit promoting best-practices in cloud use; Skyhigh is a cloud security company.

The CSA surveyed 200 IT and security professionals across sectors worldwide. The researchers have been examining cloud take-up along with risk. They think that cyberattacks overall are a concern for enterprises "when it comes to moving their systems of record to the cloud," CSA and Skyhigh say in their report.

Systems of record data includes CRM management, accounting, and so on. Skyhigh thinks this genre of enterprise data will be the next major transition to the cloud.


Cybersecurity Insurance is an option to mitigate cybercrime, the report says. "Many cyber insurance plans now offer the option of cyber ransom coverage" too, says the report.

And that availability of insurance has something to do with the numbers of professionals who say they'd pay in a ransomware attack, the study's authors think.

Cyber insurance can pay out if the company hands over the demanded money. And there's a correlation "with whether the company has cyber insurance," and if they'd pay, the study found.

The researchers reckon that companies who didn't have the insurance are less likely to pay out. But not by much.


It might be a good idea, however, to check with the insurer before actually filling a bag with used green-backs and handing it over in some dark alley.

Target, in its 2013 (non-ransomware) credit card terminal data breach, only got $90 million in insurance payments for an attack that cost it $264 million, according to the authors of this study.

What are companies worried about?

Companies are concerned about a gamut of problems in an attack, not just data loss.

The 200 respondents were most concerned about lost reputation and trust, the study found. Financial loss was the second most concerning issue.

That was followed by worries related to data loss and destruction of data.

Intellectual property issues and data manipulation rounded out the concerns.

Not just cloud

To cloud or not to cloud? It's worth noting that the majority of physical PCs in the workplace were hit by a malware attempt in 2015, security outfit Kaspersky says. I wrote about those findings in January.

And indeed only 35% of the IT leaders polled in the study think cloud is less secure than "on-premises counterparts," Skyhigh says on its website.

Data exfiltration

However, I've written recently about how some security experts think data theft is a real and growing threat to cloud users.

In that article, it's leakage through the wide sharing of documents, some discoverable by simple Google searches, that experts say is causing significant losses.

Copyright © 2016 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022