Around 65% of UK businesses who find themselves locked out of critical files and data due to a ransomware attack end up paying the ransom (source: Trend Micro).

If you find yourself confronted with a ransomware incident and are unable to access business data, it’s not recommended to pay the ransom to the cyber criminals. Only 45% of those infected got their data back upon paying up. This means 1 in 5 companies paid, but didn’t get their data back. So why are so many paying up?

Why Pay the Ransom to Criminals?

The main reason most businesses have for paying the ransom is that there is a severe lack of business continuity plans in place.

The only way to get the data back is to decrypt it with the key held by the criminals, or restore from a backup. If no backups are in place (an unfortunate reality for many businesses), or the backup process fails (another reality as many businesses use older, cheaper and less reliable backup methods) then the only other option to retrieve the data is to pay the cyber criminals and hope they play ball.

In addition to this, the ransom is often not set so high that it’s prohibitively expensive. It can be under £2,000, and sometimes is as low as £500. This can make it a more attractive option than going through the clean-up and restore process, which takes time – time with no access to the affected data.

Small Businesses the Number One Target

It’s a common misconception that cyber criminals only target larger businesses. Big companies and organisations may make headline news when they suffer a security breach, but hundreds of small and medium sized businesses are breached every day.

Going after smaller businesses has proven to be a more lucrative approach than targeting larger ones. Here’s why:

  • Many smaller businesses are not adequately protected against cyber crime – and lack the technological defences to prevent a breach.
  • A lot of small and medium businesses don’t have reliable backup in place, so must pay the ransom to retrieve their data.
  • Accepting the loss of data isn’t an option.
  • Smaller businesses can’t weather the customer storm that will kick up if data is lost – will lead to too much negative press that their reputation can’t survive.
  • Avoid fines from regulatory bodies if data is lost.

Security firm Malwarebytes surveyed 500 companies in four countries and found one-third of victims lost revenue as a result of an attack.