Is it ethical to pay extortion to ransomware for quick recovery?
Give in to Ransomware? Extortion
Definition of “Extortion”
The word extortion was explained in Merriam Webster dictionary, as “an act or practice of extorting (to obtain from a person by force, intimidation, or undue or illegal power) especially money or other property”,
in the modern world, we see extortion in the form of money payout in exchange for safely returning a kidnapped person in an illegal ransom activity.
Extortion in the cybernetic world
When owning a company or business, it is vital to secure it from any physical incidents that might hinder its operations. But how about those threats that menace the electronic financial data of the business and even the personal data pertaining to the company's customers itself?. The Advance in technology has made it easier for criminals to lurk and try to get money through electronic mediums. As a result, this has given ground to the emerging method of cyber extortion.
What is cyber extortion?
The meaning of extortion itself applies to any forceful method a criminal might use to try and extract money or other important assets from you or your company. Nowadays, criminals with programming experience have taken what we regularly understand as extortion and introduced it into the computer/electronic world. Cyber extortion criminals also demand money from the business. Still, they would most likely demand it in the form of an electronic currency that is also anonymous to avoid any kind of tracking. However, the object of the extortion does not involve physical elements, nor do they threaten you in any physical manner. They do it by sneaking into your business' electronic devices and by threatening you with any valuable information found there.
Ransomware has become the most common medium used by cybercriminals to extort their business victims. As the name suggests, Ransomware is a virus that can allow criminals to sneak into your business computer systems and hold your most important data under a lock. Ransomware is dangerous, as it gives the criminals full control over your hacked electronic device, meaning they can do whatever they want with the information found within it. They could threaten you to delete your most important information and even leak it to the public, which might concern businesses that hold very confidential and sensitive information from their clients.
What insurance should you get to protect your business against cyber extortion?
The Insurance Bureau of Canadaexplains that
Cyber insurance can cover anything from "The costs of hiring a breach response firm for forensic investigations of the ransom to Income your business loses and the costs it incurs due to an interruption in services.
Cyber insurance is also there to provide business coverage for any damage to the business's equipment that resulted from the specific Ransomware, coverage to help you recover your stolen and manipulated information, and even to cover for legal expenses that might come after the incident. Some cyber insurances might even provide coverage to help you restore your company's trusted reputation and even the expenses incurred while notifying all your customers of the information breach incident.
Would an insurance company encourage you to pay extortion money?
There is no doubt. An insurance company would try their best to avoid unnecessary losses or to try at least and reduce their losses to the bare minimum. So why would an insurance company encourage you to go ahead and pay the ransom to the person who is threatening you of deleting or possibly exposing all your confidential business data?. The answer lies in the complexity and the risk involved when trying to look for a less expensive and simpler way to avoid paying the ransom. What does this mean? Simply put, paying the ransom might be a less complicated option involving less time and effort, and therefore it could also allow the insurance company to save money.
It might be that the insurance company decides they won't give in to the demands of the person carrying out the extortion, and they would try and recover the data that is being kept hostage. In this process, however, the insurance company needs to take into account that it might be a longer and more costly journey. They might have to pay for extra coverage because the company being affected would probably need to cease operations while they try to recover the data. They also are risking the fact that the company's data could be leaked and therefore cost way more serious financial damages. For example, what if the business whose information is being held for ransom is a government institution holding private information of its citizens. What if this information gets leaked?. There is not an exact established parameter that can measure how much it will cost the insurance company to repair the damages. Overall, the risks are high, and it's hard to believe that most insurance companies would be willing to take a chance.
Is it ethically correct to keep paying ransoms? Or are insurances just funding the syndicate to run more crime?
Yes, it might be easy to just pay for a ransom and not have to deal with longer processes involving data and reputation recovery. However, by simply paying ransoms to criminals, wouldn't insurance companies be promoting more cyber extortion?
The company Kaspersky conducted a research on the activities of their antivirus users and noticed an increase of over 17% on the claims of people experiencing ransomware between the months of April of 2015 and march of 2016 (In comparison to the same period from previous years).
Moreover, in 2019, the company EMSISOFT conducted research on the ransomware submissions to their “ID Ransomware” services which concluded that just in Canada that year there were more than 4500 claim submissions.
The way insurance companies are willing to pay for ransoms to avoid significant trouble makes it easier for other cybercriminals to realize they might also have the opportunity to win big money by breaching a company's data and demand money. Therefore, the crime rates increase, and the problems don't cease to exist. So yes, it is unethical for insurance companies to foment the expansion of cyber extortion by taking the easy way out. The more this is done, the more this will keep becoming a bigger nuisance.