[Reading time: 3 minutes]


I’ve been talking this week about ransomware – Specifically, your organisation’s ransomware policy, your response plan, and the need to follow Mike Tyson’s advice by testing the plan.

However, despite your best efforts – despite your reliable backups and despite your reliable response plan – you could still find yourself in a difficult situation.


And that is when the criminals tell you they also took a copy of your data and threaten to publish it unless you pay the ransom.

They promise to delete their copy of your data if you pay the ransom.


What do you do?

  1. Don’t pay the ransom and thus reveal the stolen data to the media, your customers, and your competitors. (or)
  2. Pay the ransom and thus prevent a major data breach.


It’s understandable why many organisations go with option 2.


But in reality, option 2 is an illusion.

You can’t prevent the data breach at this stage, because it has already happened:

  • From a ‘data protection’ perspective, the breach happened when the criminals gained access to the data in the first place.
  • From a ‘risk of disclosure’ perspective, the risk materialised when they took a copy of the data.


Paying the ransom now is like closing the barn door after your beloved horse (called ‘Data’) has bolted.

If you pay the ransom now…

  • You’ll reinforce the criminals’ suspicion that your data is valuable, reducing the likelihood that it will be deleted as promised.
  • You’ll demonstrate a willingness to transact with criminals, increasing the likelihood that you will hear from them again.


So what should you do?

Once the criminals have found a way into your organisation, it’s difficult to stop them from escaping with your data*.

This is why it is so important to try to block them from gaining access in the first place.

Simple measures can provide significant benefits, such as:

  1. Protecting your accounts with Multi-Factor Authentication (MFA), so they need more than just a password to gain access.
  2. Training / reminding staff about how the criminals try to fool them into opening the door for them.
  3. Keeping devices up-to-date with security patches.
  4. Removing local administrator privileges from the user accounts used by staff on a day-to-day basis. Special privileges should only be used for special occasions.
  5. Restricting access to your most valuable data. Everyone does not need access to everything.


These measures won’t provide a complete defence against this type of attack, but they are key components of a Secure Foundation.


* Difficult, but not impossible. There are many potential solutions to spot and block ‘data exfiltration’. But they can be complicated to configure and costly to sustain.