Don't pay ransoms, but if our data is compromised pay £678 say consumers

News by Andrew McCorkell

Some 80 percent of UK consumers believe organisations should refuse to pay ransoms, but still hold companies financially liable for their personal data, a Veritas Technologies report shows.

Research from data management company Veritas Technologies shows users in the UK expect an average payout of £678 from businesses for a ransomware attack. 

But four-fifths of consumers living in the UK think businesses should not be negotiating with criminals and refuse to pay the ransom.

More than a third (35 percent) hold the CEO of a business personally responsible for any ransomware attack a business suffers.

And one-fifth (22 percent) of say the CEO should face a prison sentence in the company falls victim to a ransomware attack.

Bharat Mistry, principal security strategist, Trend Micro said: “Businesses should never pay the ransom. By doing so they set themselves up to be on a target list for some other criminal gang. Organisations need to wake up to the cyber threat and treat information security as a business-wide priority and not just an IT issue.

“If businesses treated cyber risk in the same manner as a business risk and set aside appropriate budget then the fallout from a cyber-attack would be minimal.” 

More than four-fifths (85 percent) expect there to be protection software in place, while 64 percent believe companies should have back-up copies of their data.

But when a consumer’s own personal data is compromised in an attack, there is a change of heart as they want businesses to hand over an average of £678 per user to criminals

Of the 2,000 UK surveyed in the UK the average specified the following amounts for different data types:

  • Personal finances       £1,088
  • Child’s data                 £926
  • Government records   £899
  • Medical records          £884
  • Personal cloud data    £784
  • User credentials          £694
  • Webmail                      £618
  • Customer records       £514

Social media

  • Dating profile              £455
  • Messages                   £448
  • Basic personal data    £427
  • Playlists information   £405
  • Average                      £678

More than two thirds (68 percent) thought they should be personally compensated if the company still can’t retrieve the information that’s been stolen.

Simon Jelley, VP product management at Veritas Technologies, said: “While it may initially seem like businesses can’t win regardless of whether they pay or not, they are actually getting a clear message from consumers: people want their providers to escape the dilemma of whether to pay, or not to pay, by avoiding the situation in the first place.

“Our research shows that, if businesses want to please their customers, they need to prepare for an attack and be ready to recover from it - so, if the worst happens, they have tried-and-tested recovery procedures in place and there’s no need to payout.”

Businesses that have adopted protection software and data backups are generally considered better able to respond to ransomware attacks. They can normally either prevent an attack or safely restore their data without needing to pay the attackers’ demands.

Jelley added: “In the past, ransomware was something that only affected a few unlucky people who were forced to pay a couple of hundred pounds to regain access to their locked-out laptops.

"Nowadays, it’s a multibillion-pound-a-year industry, as cybercriminals increasingly target vulnerable organisations. The costs don’t stop with the ransom payout; our survey also showed that people want to see fines and compensation too."

A snapshot of the survey results shows where data has been lost: 

  • More than one-fifth (22 percent) said the CEO should face a prison sentence
  • A quarter (25 percent) said the CEO should be banned from running companies in the future
  • Almost two-fifths (38 percent) said the CEO should pay a fine
  • Nearly two-fifths (36 percent) said the CEO should resign
  • More than a fifth (22 percent) said the CEO should take a pay cut or be demoted
  • Around two-fifths (39 percent) said the CEO should publicly apologise

Adding to the problem, there is the huge cost of getting a business back on track with downtime, loss of production, and challenges to deliver or bill for products.

Jelly said: "As a result, global ransomware damage costs are estimated to exceed £9 billion annually this year, and this does not take into account the cost of reputational damage to a company’s brand.”

The findings are part of global research, which asked consumers in China, France, Germany, Japan, the United Kingdom and the United States what they thought about ransomware.

The research was conducted and compiled for Veritas Technologies LLC by 3Gem.

Some 2,000 consumers were interviewed in April 2020 in each market (China, France, Germany, Japan, United Kingdom and the United States) speaking to 12,000 adults over the age of 18.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews