Business: What Will You Do When Ransomware Asks for a Donation?

Much has been said over the recent news that the Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoin to a hacker who seized control of the hospital's network. According to a 2015 Symantec report on ransomware which first appeared in 2005 with the Trojan.Gpcoder Trojan horse virus, the risk has only increased in frequency and reach with United States, Japan, United Kingdom, Italy, Germany, and Russia most significantly impacted.

Beyond the business decision on whether or not to pay the ransom, a strong reputational calculus needs to be vetted on the decision to pay or not to pay. If the ransom is paid, vulnerability to attacks and ransom demands increases, which can put targets in a seemingly never ending cycle of headline risk and financial peril. If the ransom is not paid, stakeholder trust and brand equity may be mortgaged because the enterprise appears to be putting its own interests above those of the customer--this is especially concerning when an organization's core commercial promise is in play, which was the case for Hollywood Presbyterian and its patients' in the context of safety and well-being.

But the question remains open on the true impact of ransomware. As is the case with many frivolous lawsuits where settlement often makes more financial sense than protracted litigation, ransomware may represent the unsavory cost of doing business in an age of anonymity and untraceability. Conversely, this scourge may represent a clarion call for greater intelligence and investigative sophistication coupled with the innovation capacity necessary to keep pace with cyber criminals.

As ransomware risk escalates, time will tell whether organizations heed the lessons of Hollywood Presbyterian and seize the opportunity to re-think not only their approach to information security but also the opportunity to engage in response scenario planning and training. Companies are clearly on notice that cyber ransome risk is real and have every ability to be prepared if, or more likely, when a bitcoin ransom demand is made. The irony is that everybody is watching.