NetworkTigers on the consequences of failing to report a ransomware attack
While the number of cyberattacks is alarming, security experts and authorities suspect it’s actually much higher and only at its current rate because many businesses opt not to report a ransomware attack they’ve suffered.
Ransomware damage at a glance
Despite research showing that the pandemic-related surge in ransomware attacks is subsiding, they continue to be a scourge to both private and public organizations. Even though attack rates appear to decline, threat actors demand increasingly large sums of money to restore victims’ systems. The average ransom payout in 2022 surged to more than $258,000 and collateral costs that include recovery and investigation were $4.54 million.
Headlines and breaking news make it appear otherwise, but small businesses are targeted by ransomware attacks far more often than major ones. Worse, many are simply unable to recover, with 60% of small companies filing for bankruptcy in the six months following an attack. The average time it takes for a business to recover after an attack is a crushing 279 days.
With numbers like these, one would expect businesses to welcome all the help they can get to recover from an attack. However, there are a handful of reasons why some organizations, unfortunately, choose to keep their cards close to the vest.
Why some businesses don’t report ransomware attacks
It likely won’t lead to justice
When a foreign threat actor deploys an attack under layers of obfuscation, there is usually little that authorities can do to track the hacker down, let alone bring them to justice. Once a company’s data is exfiltrated, nothing can stop the threat actor from trading it with others, posting it online, or otherwise utilizing it to suit their needs. This can make reporting a ransomware attack seem like a waste of time.
It won’t restore their data
Law enforcement is also not in the business of restoring damaged networks. Their involvement adds another moving element to a situation already a complicated and potentially devastating headache. While catching the bad guys may feel good, the damage is done, and many organizations choose to deal with the incident on their terms.
Fear of regulatory repercussions
Some business owners don’t report a ransomware attack because they’re worried that involving law enforcement will invite additional regulatory scrutiny into their business operations. While this motivation does call into question the morality of how a company functions, the reality is that regulatory intervention can slow down or complicate even the most acquiescence companies.
Fear of public backlash
While much can be said about whether or not the general public truly cares about the fallout from a breach outside of stolen crypto or a downed website, organizations know that the optics surrounding a ransomware attack are never positive.
A successful attack can make a company appear inept at best and negligent at worst. Opening up the floodgates to the public means a company must carefully manage its discourse surrounding the attack and make careful PR decisions. Many businesses falter when it comes to threading the needle between responsibly admitting that customer data has been compromised and reassuring people that everything is being done to keep the damage in check. As a result, some mistakenly prefer to keep the breach under wraps.
Why you should always report a ransomware attack
You’ll be on your own if you don’t
While the FBI isn’t going to recruit a team of IT professionals to restore a company’s damaged network, the power they have as law enforcement can prove to be valuable when it comes to getting information from ISPs and even interacting with foreign agencies that may be able to assist. This can gather insight that a private investigation alone may not be able to glean, making reporting a ransomware attack a productive first step in recovery.
Your insurance may not help you otherwise
Some cybersecurity insurance providers require covered organizations to disclose attacks to law enforcement. Doing so ensures compliance, moves the case quicker, and diligently keeps the ducks in a row after an incident. Failure to follow an insurer’s rules puts a company at odds with their coverage and may result in them being unable to collect on their claim.
Regulators and lawmakers appreciate it
A company’s ability to show that it left no stone unturned by reporting a ransomware attack looks good in the eyes of regulators. Displaying that law enforcement was immediately involved enforces the idea that an organization has compliance in mind, is not engaging in shady business practices, and is doing its best to look out for the interests of any parties affected by the attack.
Honesty is the best public policy
If a company does not report a ransomware attack and its customers suffer the consequences or, in many cases, find out months after the fact that their data was exposed without them knowing, the damage to its reputation can be highly damaging.
Navigating public opinion, especially in the age of social media, is challenging. However, most customers prefer honest, upfront disclosure and transparency over clandestine maneuvering.
Suppose the public discovers that a company had suffered an attack in which their information was affected and attempted to keep customers in the dark. In that case, it calls into question the organization’s full moral standing. Was the company not maintaining proper security protocols? Would they instead sacrifice the privacy of their customers than admit fault? Are they covering up the fact that they didn’t work to improve their security after the attack? What other questionable practices might they be hiding?
In the long run, it’s far better for an organization to bite the bullet early on than to attempt to save face later and appear unscrupulous.
Reporting ransomware attacks improves cybersecurity for all
When it comes to cybersecurity, knowledge is power. Reporting a ransomware attack to the authorities allows them to collect information on the incident that can be compiled into existing cases and databases from which the FBI, CISA, and businesses can draw. Attackers often target multiple victims using the same strategies, so it’s important to identify recurring trends. One organization’s breach may contain clues or information that can shed light on other cases, and so forth.
The more information collected regarding attack patterns, methodologies, malware variants deployed, and vectors used, the easier it is to limit the damage caused by similar or related attacks and defend against them in the future.