Should you pay to retrieve hijacked data?

Prevention is better than cure as the digital world increasingly faces the growing threat of cyber attacks, experts say

From left, Jeff Lanza, Bruno Fonseca, Somnath Sarkar and Ronen Kotlovsky speak at a panel discussion on the GCC ransomware situation during Intersec 2022 at the Dubai World Trade Centre. Antonie Robertson / The National
Powered by automated translation

Paying ransom to recover hijacked data from a cyber attack seems to be a quick and easy way to solve the problem, but victims must take into consideration the tricky nature of the web's underworld and the consequences to both organisations and individuals, experts say.

Cyber threats exists in all sectors but protecting oneself against potential attacks boils down to which entities are more effective in their practices and how responsible people are, industry leaders said during discussions as Intersec 2022 at the Dubai World Trade Centre on Monday.

“It's a very, very difficult decision to take by the management of a company to pay ransom. There is no guarantee that your data will be returned,” Ronen Kotlovsky, a business mentor at the Israel Export Institute, said at a panel session.

“The most important thing is to solve it very quickly. If you're not paying, go to the authorities. Ask for proof from the attackers that you'll get your data back. But even then, there's still no guarantee.”

Ransomware, as defined by US telecoms gear maker Cisco, is a type of cyber attack that encrypts a victim's data, after which the attacker demands a ransom. Once the ransom is paid, the attacker sends a decryption key to restore access to the data.

Ransom can range from a few hundred dollars to millions. Nowadays, payment is typically demanded in the form of a cryptocurrency like Bitcoin.

Costs due to ransomware, specifically, have the potential to hit $265 billion by 2031, with a possibility of a new attack every two seconds, a report by research firm Cybersecurity Ventures showed.

Paying ransom should be the court of last resort, experts said, and added that prevention is better than cure.

“A holistic perspective with several layers of protection can be successful in deterring an attack. Proper asset management and simple things should be in place — that’s basic security hygiene,” said Bruno Fonseca, regional chief security officer at Axa Insurance Gulf.

The Middle East and Africa's cybersecurity market was valued at over $1.9bn in 2020 and is expected to hit almost $2.9bn by 2026, Mordor Intelligence reported. The rapid digitalisation in Mena countries, especially the UAE and Saudi Arabia, has triggered more connected devices, opening up new gateways for attacks.

Overall criminal cyber activity was projected to inflict damages totalling about $6 trillion globally in 2021, a study by Cybersecurity Ventures showed. By 2025, this is projected to surge 250 per cent to about $10.5tn from 2015's $3tn.

Humans disregarding logic and common sense

Cyber criminals continuously seek methods to exploit vulnerabilities in organisations' IT infrastructure and the smallest of loopholes can cause major damage.

The average cost of breaches amounted to $3.6 million per incident for businesses in the first half of 2021, a cybersecurity study released by The World Economic Forum said.

“This is the effect of poor cybersecurity processes: if you leave them weak, you are increasing the chances for an attack,” said Somnath Sarkar, group head of information security at Dubai-based Mashreq Bank.

The most important thing is to solve it very quickly. If you're not paying, go to the authorities. Ask for proof from the attackers that you'll get your data back. But even then, there's still no guarantee
Ronen Kotlovsky, business mentor at the Israel Export Institute

Then again, carelessness from a single individual user can cause equal or even greater harm. A common strategy used by bad actors on the web is sending out purported financial offers or perks, enticing users to click or tap on them. Once they are clicked on, it makes them more vulnerable to cyber attacks.

“An emotional response to something, such as a gift card, special offer or unpaid invoice, overcomes logic and common sense,” said Jeff Lanza, former special agent with the US FBI.

About 95 per cent of breaches are primarily caused by human error, IBM's “Cyber Security Intelligence Index Report” said. A previous study from the company put the average cost of cybersecurity breaches caused by human error at $3.33m.

In the Middle East, cyber attacks largely focused on financial and government institutions between the fourth quarter of 2019 and the third quarter of last year, a MasterCard study released last week showed.

In Africa, the focus was more on hacking credit cards, services and sensitive data.

“Cyber security is a key enabler for customers who want quick and on-demand service … engaging your business teams early in the conversation can help prevent attacks,” Amit Mehta, cybersecurity advisory practice lead at the New York-based global payments company, said in another discussion.

The most difficult part of cyber transformation, said Mr Sarkar, is training staff, which should be continuous, not limited to classroom-type programmes and taking them through the entire process.

“It's more of a lifestyle change rather than a corporate responsibility. It needs a lot of change and investment and process,” he added.

The burden is shared by cybersecurity professionals. Those working in IT are seen as “monolithic”, a belief that they are made up of a specific “kind” of person, adding to their misunderstanding, Paul Poteete, associate professor of computer science and cyber security at Geneva College, said in a separate presentation.

A solution for this is to align cybersecurity tasks with personality traits, allowing the streamlining of roles to people at a level that both increases individual performance and satisfaction as well as organisational performance and retention.

Unless we collaborate, we will be left behind because of frauds and scams ... by about three to four years
Charanjeet Singh, senior vice president and head of fraud risk and investigation at First Abu Dhabi Bank

“Unless we collaborate, we will be left behind because of frauds and scams … by about three to four years,” said Charanjeet Singh, a senior vice president and head of fraud risk and investigation at First Abu Dhabi Bank, the UAE's largest lender.

One strategy that can be adapted by organisations in protecting their data is the so-called 3-2-1 rule, said Mr Lanza.

The 3-2-1 backup rule — called a “revered and time-honoured strategy” by data protection firm Unitrends — states that there should be three copies of data — production data and two backups — on two different media, disk and tape, with one copy off-site for disaster recovery.

This is recommended by the US government as well as Carnegie Mellon University.

“If we protect ourselves well enough, we don’t have to worry about cyber threats,” Mr Fonseca said.

Updated: January 18, 2022, 6:00 AM