pe3check - stock.adobe.com
Almost half (47%) of UK IT directors would “definitely” be willing to pay a ransom fee to hackers to avoid reporting a data breach and risking a fine under new EU data protection laws, a study has revealed.
A further 30% of UK IT leaders said they would “possibly” consider paying the criminals’ ransom if it was lower than the possible penalty for a breach under the EU’s General Data Protection Regulation (GDPR), while only one in five (18%) respondents completely ruled out paying off their attackers, according to the study, commissioned by security firm Sophos.
For breaching specific articles of the GDPR or if the breach is found to have infringed an organisation’s obligations, data protection authorities can impose fines of up to €10m, or 2% of annual global turnover, whichever is higher. But if the breach is found to have infringed any individual’s privacy rights, an organisation could face a fine up to €20m or 4% of annual global turnover, whichever is higher.
Before the GDPR came into force on 25 May 2018, Mikko Hypponen, chief research officer at F-Secure, predicted that the fines for data breaches could effectively drive cyber criminals’ ransom demands higher because companies were more likely to pay ransoms that were lower than the potential fines to avoid admitting a data breach and risk reputational damage.
The Sophos study revealed that small businesses were least likely to consider paying a ransomware demand, with 54% of IT directors at UK companies with fewer than 250 employees ruling out paying their attackers, while just 11% of directors at companies with 500-750 employees said they would opt for this approach.
The study, based on more than 900 interviews conducted by market research firm Sapio Research, also showed that UK IT directors are significantly more likely to pay up than their counterparts in other Western European countries.
Of the five European countries studied, Irish IT directors were the least likely to pay. Just 19% said they would “definitely” be willing pay a ransom rather than a larger fine.
IT directors in France, Belgium and the Netherlands were also less likely to pay a ransom, with only 33% of respondents in France, 24% in Belgium and 38% in the Netherlands saying they would “definitely” be willing to pay.
Adam Bradley, UK managing director at Sophos, said it was “concerning” to learn that so many UK IT leaders misunderstand the threat and consequences of even a minor data breach.
Read more about the GDPR
“Companies that pay a ransom might regain access to their data, but it’s far from guaranteed and a false economy if they do it to avoid a penalty,” he said. “They still need to report the breach to the authorities and would face a significantly larger fine if they don’t report it promptly.”
Bradley said it was surprising that large companies appear to be those most likely to pay a ransom. “It is a mistake for companies of any size to trust hackers, or to expect that they will simply hand the data back,” he said.
“Our advice is not to pay the ransom, to tell the authorities promptly and make sure you take steps to minimise the chances of falling victim again.”
According to Bradley, cyber attackers tend to rely on phishing emails, unpatched software and remote access portals to gain access. “Therefore, organisations should make sure their systems and people are able to spot the signs of attacks,” he said.
The study also revealed that although UK IT directors are more likely to pay cyber ransoms, they are also the most confident of those polled that they are compliant with GDPR. Some 46% of UK IT directors said they were confident that their organisations are fully compliant with GDPR rules, compared with 44% in the Netherlands, 37% in France, 35% in the Republic of Ireland and 30% in Belgium.
However, just 13% of UK IT directors said they had tools in place to prove compliance in the event of a breach, compared with 27% in the Netherlands, 24% in France and 20% in Belgium.