Nearly half of all UK tech bosses are prepared to “do an Uber” and pay a ransom fee to hackers to avoid reporting a data breach and risking a fine under GDPR, despite the potential reputational and financial damage such actions would incur.
Earlier this week, Uber came in for fierce criticism – and fines totalling nearly £900,000 – after admitting that it paid off hackers rather than divulge its own data breach to customers and the authorities.
Now, according to a study commissioned by security firm Sophos, 47% of UK IT directors said they would “definitely” be willing to pay a ransom while a further 30% said they would “possibly” consider paying off criminals if the ransom was lower than the GDPR fine; just one in five (18%) respondents completely ruled out paying their attackers.
The Sophos study revealed that small businesses were least likely to consider paying a ransomware demand, with 54% of IT directors at UK companies with fewer than 250 employees ruling out paying their attackers, while just 11% of directors at companies with 500-750 employees said they would refuse to cough up.
The study, based on more than 900 interviews conducted by market research firm Sapio Research, also showed that UK IT directors are significantly more likely to pay up than their counterparts in other Western European countries.
Of the five European countries studied, Irish IT directors were the least likely to pay. Just 19% said they would “definitely” be willing pay a ransom rather than a larger fine.
IT directors in France, Belgium and the Netherlands were also less likely to pay a ransom, with only 33% of respondents in France, 24% in Belgium and 38% in the Netherlands saying they would “definitely” be willing to pay.
Adam Bradley, UK managing director at Sophos, said it was “concerning” to learn that so many UK IT leaders misunderstand the threat and consequences of even a minor data breach.
“Companies that pay a ransom might regain access to their data, but it’s far from guaranteed and a false economy if they do it to avoid a penalty,” he said. “They still need to report the breach to the authorities and would face a significantly larger fine if they don’t report it promptly.
“It is a mistake for companies of any size to trust hackers, or to expect that they will simply hand the data back. Our advice is not to pay the ransom, to tell the authorities promptly and make sure you take steps to minimise the chances of falling victim again.”
The study also revealed that although UK chiefs are more likely to pay cyber ransoms, they are also the most confident of those polled that they are compliant with GDPR.
Some 46% of UK IT directors said they were confident that their organisations are fully compliant with GDPR rules, compared with 44% in the Netherlands, 37% in France, 35% in the Republic of Ireland and 30% in Belgium.
However, just 13% of UK bosses said they had tools in place to prove compliance in the event of a breach, compared with 27% in the Netherlands, 24% in France and 20% in Belgium.
Uber fined £900,000 over ‘complete disregard’ for data
Over 40% of firms suffered cyber breach in past year
Firms warned over new wave of nefarious cyber attacks
TNT Express rocked as cyber attack wipes out $300m
WPP hit as new ransomware attack wreaks global havoc
UK firms ‘leaving themselves wide open to ransomware’