Intelligent CISO Issue 43 - Page 34

Developing cyberresilience should be a key imperative for organisations .

up – with all the ingredients of a modern IT business emerging in cybercriminal groups . They buy in Ransomwareas-a-Service from other groups , run dedicated websites to disperse leaks , and even employ customer service agents to ‘ help ’ victims purchase and transfer cryptocurrency payments .
If ransomware payments are made illegal , adversary groups will very quickly set up a system of brokerages and shell businesses to negate the problem of making payments for victims . They ’ re already experts at money-laundering – they have to be – a simple act of legislation won ’ t make them break a sweat .
Then , victims might also wish to break the law if a criminal ban on ransomware payments is enacted . If a business determines that the effects of a current ransomware attack will be catastrophic , then they might decide to pay in an act of desperation , no matter that , as we ’ ve discussed , it ’ s not likely to be a successful tactic . In this circumstance , legislation would criminalise the victims of the real criminals , adding to their financial burden and lessening their ability to recover from the attack . And law enforcement agencies will have considerably less chance of stopping and apprehending adversary groups ,

Developing cyberresilience should be a key imperative for organisations .

because victims will be much more motivated to keep attacks on their systems a secret .
We should also understand that legal bans on activities people want to do are often unenforceable and can have deeper , pernicious effects , sometimes outweighing the benefits of the bans . Prohibition famously led to the rise of bootlegging , speakeasies and criminal gangs in 1920s America . Bans on other drugs have fuelled criminal empires . Desired-but-illegal activities all over the world have created vast , shadow economies . A ban is by no means always a cure .
Hard solutions
Whether to formally ban ransomware payments is a complex policy matter that may not be dealt with for some time , so what then is the way forward for businesses and society ?
At a broad level , there needs to be a much wider understanding why paying ransoms is such a bad idea . Paying up probably won ’ t work for the individual business for the reasons we ’ ve discussed , their efforts should therefore be laser-focused on preventing , intercepting , eliminating and recovering from breaches . They need enforceable , comprehensive policies
34 www . intelligentciso . com