Is a single ransomware extortion policy realistic?

A blanket ransomware policy may be unrealistic. By understanding your data, you can avoid having to make poor decisions on the fly.

Anthony Woodward


Share on Social Media
October 11, 2023

Subscribe to FILED Newsletter

Get your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.
Subscribe Now

Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.  

This month:

  • ASIC will take legal action against companies that were unprepared for cyberattacks.  
  • 80% of lower education providers and 79% of higher education providers reported a ransomware attack in the last year.
  • Microsoft accidentally exposed 38 terabytes of data from hundreds of employees

But first, do you have a ransomware extortion policy?  

If you only read one thing:  

Should you pay a ransomware attacker?

It has been an eventful year in cybersecurity, and it feels like everyone is taking a step back and building their strategies for when (not if) they are targeted by ransomware or other attacks.

One of the key issues at play: whether to pay a ransom to attackers.

While lawmakers and cybersecurity experts agree that companies should not pay a ransom demand in the event of a cyberattack, a new survey suggests half of Australian boards are unsure, and two thirds of respondents were still waiting on their board to give formal guidance on their extortion payment views.

A quarter of the respondents to the survey said their organization had been hit by a cyber extortion threat, and of these, just 11% paid the ransom.  

By developing your ransomware extortion policy before you get hacked, to avoid making these decisions, “at the time a blowtorch is being applied to you,” as one partner put it.

But is it realistic to develop a blanket policy for ransomware attacks when you can’t predict the exact nature of the attack in advance? Your response must consider the context: what customer data was accessed, and how sensitive was it?

According to reporting in August, law firms were particularly prone to paying ransoms, rather than dealing with the negative consequences of having data posted online. Law firms make attractive targets due to the volume of sensitive data handled, and a “porous IT environment with supply chain vulnerabilities.”

To understand this approach, consider the ongoing fallout from the HWL Ebsworth breach. Australia’s national cybersecurity coordinator announced last month that attackers had stolen saw 2.5 million documents from the firm, publishing 1 million online. The hack has affected 65 government agencies.

Facing this potential outcome, and under pressure to respond, it makes sense that some choose to pay up, particularly if they are in the dark about what has been taken.  

The less you know, the more risk you face

Companies doing a poor job managing their data—failing to classify the sensitive data and ensure it is removed as soon as legally permitted—leave themselves with few options, and may decide the pros of paying attackers outweigh the cons.

After all, customers whose data has been accessed in a data breach will leave the service, as Optus found out last year.

A legal ban may not solve this issue

In the United States, the White House is considering a ban on paying a ransom, and certain states like New York and Hawaii have introduced bills prohibiting governmental, business and health care entities from paying up.

Paying a ransom is not illegal in Australia, but it could be classed as an offence if such a payment breached terrorism finance laws or went to a sanctioned organization.

Even if there were laws prohibiting ransom payments, companies with limited understanding over the scale of the breach, facing pressure to respond, may decide to pay up and take the penalty.

Strong data management practices offer a way out. By understanding the data you have, its location, and its sensitivity, you can help ensure that in the event of a ransomware attack, you can make informed decisions, rather than panicked ones. You can reduce your attack surface by removing data you don’t need, and you can ensure you are protecting the rest.

Establishing a one-size-fits-all ransomware policy may be unrealistic, but by understanding what data you have you can avoid having to make poor decisions based on ignorance.

Privacy & governance  

The Australian government has committed to an overhaul of the nation’s privacy laws, with changes including a “right to be forgotten”, bans on targeted advertising for children, and a right to sue for privacy invasions, with legislation expected to be introduced in 2024.

The Australian Securities and Investments Commission will take legal action against companies that were unprepared for cyberattacks.  

A class action lawsuit alleges health agency Viginia Mason Franciscan Health violated patient privacy in its use of Meta’s tracking pixels in a patient portal.  

Let’s tackle data privacy before we consider AI regulation, US lawmakers say.


Microsoft accidentally exposed 38 terabytes of data, including private keys, passwords and internal Microsoft Teams messages from hundreds of employees, but no customers.  

FBI director asks private sector for some help with cyber intelligence. “When you contact us about an intrusion, we won’t be showing up in raid jackets.”

80% of lower education providers and 79% of higher education providers reported a ransomware attack in the last year, according to a new report from Sophos and AtlasVPN.  

The MGM cyber attack, explained. One of the key attack vectors? LinkedIn. Also features an explanation of “vishing” (voice phishing).  

Okta says the attackers, who also hit Caesar’s Entertainment, hacked another three unnamed organizations.

The latest from RecordPoint  


Read our case study on how this government agency that replaced its outdated EDRMS to improve efficiency and lower costs.


An Andrew double bill for you this month on the FILED podcast:

John Bean Technologies documentation and information governance manager Andrew du Fresne joined us to share key advice for organizations who wish to prepare their records for natural disasters, and described the unique and humbling experience of helping to secure records from first responders to the September 11 terrorist attacks.

Then Vital Records Control VP of advocacy Andrew Ysasi jumped on the podcast to explain how records and information managers can help cybersecurity professionals to overcome threats.


Get hooked on FILED

This can be a fast-paced, complex industry and it can get overwhelming. FILED is here to help you navigate it.