Ransomware attackers have been turning their gaze away from ordinary consumers as companies and enterprises offer more fertile hunting grounds, and the promise of much larger rewards than the average home user. For many hackers, attacking the little guy is no longer worth the effort.
However, this doesn’t mean our personal data is safe and sound. We all have data that is precious to us but looked after by somebody else. Dealing with almost any business today involves trusting them with some kind of data – whether it’s our medical records, financial information, shopping habits, family photos, or even our dating profiles.
If the data you share with a company is stolen or encrypted during a ransomware attack, retrieving it can be difficult. But should the company pay to have it returned? And what can you do as an individual to help keep your data safe in the first place?
To pay or not to pay?
Data can say more about you than any simple financial transaction. So when your data falls into the wrong hands, the impact can be devastating. If a criminal steals money from you online, you can often be reimbursed by your bank, insurer or issuer; but if a criminal steals your data, they can hold power over you long after the event.
Some data, such as family photos or academic work, can be irreplaceable on a personal level, but many types of data loss can be damaging. Imagine, for example, trying to get a new job without being able to prove your qualifications. Think about the cost of x-rays to recreate your dental records. Or consider simply not being able to qualify for the no-claims bonus on your car insurance. Any of these things could happen as the consequence of your data being stolen in a ransomware attack on one of the companies you currently do business with. So shouldn’t the company pay to fix things?
The case for a company paying the ransom for your data may appear strong but, sadly, the hope of regaining your data this way is often wishful thinking. Even if the ransom is paid, there’s no guarantee the attacker will return your information. Many hackers couldn’t give it back even if they wanted to, since they lack the technical capabilities to reverse the process they started. Little wonder then that 20% of paying victims don’t even have their stolen data returned.
And consumers rarely want the businesses they trust to be complicit in allowing crime to pay. Veritas research shows that under a quarter (23%) of consumers think that businesses should negotiate with cybercriminals. Similarly, just 27% think governments should engage with the attackers. In the majority of cases, prevention is far better than the cure. Customers say they expect the organisations that they buy from to have strong ransomware defences and a comprehensive data backup policy.
Staying safe, without surrendering
All too often, a ransomware attacker can bring its victims to a place where it feels like there’s no right decision. If the data can’t be restored another way, they must either pay the ransom and invite repeated attacks in the future, or they lose their data forever. Neither choice is a victory. When faced with an impossible decision, all anyone can do is work out how they got there in the first place and ensure it never happens again.
Ransomware attacks on ordinary consumers are rarer now, but they still happen. To avoid being caught out, be diligent when it comes to what emails you open and which links you click, and ensure you’re using up-to-date antivirus software. But you should always work on the assumption that a new virus or scam could sneak past your best defences. And, here, preparation is the key to success. Backing up your files is easy and, just to be safe, you should be saving multiple copies in different locations, such as external drives or in the Cloud. That way, if a hacker comes after your data, and successfully encrypts it, you don’t need to pay – you can simply restore another copy.
But, how do you protect the personal data that isn’t on your own computer? How do you defend the data that businesses hold on you?
The best way to do this is to make an informed and responsible decision over who you purchase from. Before engaging with a business that’s going to hold records on you, read its data policy carefully and check up on their history. Under GDPR, businesses are obliged to defend the data of their customers, but the enforcement leaves a lot of freedom for businesses to comply as they see fit, and not all invest the same resources in data protection.
If a business has a history of data breaches, or fails to mention the steps they take to protect customer information or back up their data, this should throw up a red flag. Just as you would never want to fly with a carrier that has a poor track record for safety, you shouldn’t be trusting your information to a business that has a poor track record for security. You’re not powerless to protect your data online; your choice of whom you do business with can make all the difference.