One of our suppliers was recently hit with a ransomware attack (or “cyber incident” as the new euphemism has it).
As a result their systems were offline for several weeks.
During this time they were relatively open to their customers about what had happened – they acknowledged it was ransomware, that they were in discussions with the attacker (or “bad actor”), and ultimately that they had paid the ransom.
Service is now back – should I stay?
Prior to this incident we had no reason to choose another supplier.
The market for this particular service is relatively small and any competitor would have to be able to offer something outstanding (in terms of service, capability, or price) for us to even consider going through the upheaval of changing platforms – not to mention the time taken to properly put it out to tender.
We like the service, we are happy with the support and account management.
So, has this assessment changed with the knowledge that they’ve been hacked?
Should this assessment change?
“They’ve been hacked once, they might get hacked again”
That’s the worry.
It has been proven that it’s possible for them to be hacked – does that now make it more likely to happen in the future?
Personally, I don’t think so.
Companies will get compromised – “assume breach” is the current mantra. The fact our supplier got hacked once tells you nothing about the likelihood of it happening again. Their efforts to prevent and remediate are a far better indication of future risk.
That’s why paying attention to security policies and statements are so important during vendor selection – you don’t want to wait until after a hack to find out their security posture.
All other things being equal, dumping a company known to have been hacked once for a company that hasn’t doesn’t make sense – unless you now know that previous attestations of security were just theatre.
Moral hazard
So – assuming that the hack hasn’t shown up a major issue with their internal security processes, are we are good to go?
Depends on your view about paying ransoms. Can you hand-on-heart say that you would never pay a ransom demand if you were in a similar situation?
Law enforcement is pretty clear on this – we shouldn’t pay. Last month (as I write this) the UK NCSC and ICO called for solicitors to “help stem the rising tide of ransomware payments”, “that they do not encourage or condone paying ransoms” and doing so “will not keep data safe”.
Indeed, if everyone stopped paying ransoms the whole ransomware market would dry up and fail. If no-one pays the whole business model falls apart.
However, back in the real world that’s never going to happen.
For a variety of reasons there will always be people that will pay the ransom (they don’t have any backups, restore will take longer than decryption, they want to avoid data being released, etc). Therefore refusing to pay a ransom demand purely on moral grounds is a futile gesture. You’ll get the warm fuzzies – but your action won’t stop the ransomware market.
Yes, if you do pay there is a chance that the decryption tool won’t work or the attacker will release data anyway. But if you don’t pay you are pretty much guaranteed that data will remain encrypted and any exfiltrated data will be exposed. If you need either decryption (for whatever reason) or assurance that data won’t be exposed refusing to pay just introduces more risk to the business.
Are you happy to report to the board your decision “yes, we could have paid £LotsOfMoney and be back in business sooner, but for moral reasons I decided not to and lost £EvenMoreMoney in lost business”? You are taking a gamble by paying – but it’s a lower risk than not paying.
Personally I view law enforcement’s “don’t pay ransomware payments” in a similar light to governments saying “we don’t negotiate with terrorists” – they may say it, but we all know that they do.
What did we do?
We stayed.
Hacks happen – no-one is immune, despite how good their security is.
Our provider was open and honest while dealing with something I hope I never have to deal with first-hand. There was nothing during this process that made me doubt their previous claims of system security. In fact, during this process my trust in the people and processes increased because of what they said and did.
I also have faith that any internal security improvements they propose will go through with far less resistance than they would in a company that hasn’t suffered an attack. Any proposed friction to systems and processes in the name of security will be far harder to argue against with a lived experience of what could happen.
I now have more faith with their ability to deal with security issues as I have seen their actions match their words.
Matt Kirby 
Leave a comment