One in 3 companies would rather pay hackers than invest in security, researchers find

A recent survey conducted by security firm NTT Security has found that a third of organisations would rather pay hackers a ransom than invest in security. This surprising revelation comes in the wake of numerous breaches that have affected several high-profile companies over the past couple of years.

Firms such as Verizon, Equifax, Yahoo and others suffered massive data breaches, resulting in thousands of users’ personal data being stolen and compromised. Meanwhile, cybercriminals continue to use known attack methods, such as deploying ransomware and launching DDoS attacks, whilst branching out into new attack methods like cryptojacking.

However, according to NTT Security’s report, organisations are much more concerned about how a breach will affect their public image than how best to mitigate an incident and implement security measures to prevent future breaches.

“Across the board, companies were most concerned about what a data breach would do to their image, with 56 percent concerned about the loss of customer confidence and 52 percent fretting about damage to brand and reputation,” NTT Security said in its report. “One in four (25 percent) saw losing market share to competitors as their biggest threat.”

When asked whether they would consider paying hackers a ransom or investing in security, one in three respondents - decision makers at organisations across the globe - admitted they would rather cut costs by paying hackers than investing in further security.

Around 40% of organisations in France, Germany, Austria and Norway would consider taking this approach, according to the survey. In comparison, 35% of organisations in the US and 21% of organisations in the UK would take this approach when dealing with a cyber incident. Given the rapid rise in ransomware attacks over the past few years, this lackadaisical attitude toward security is certainly cause for concern.

Organisations must keep in mind that when dealing with cybercriminals, there are no guarantees. Even after paying a ransom, organisations have no real assurance that the attacker will honour the payment. What is more, ransomware operators are increasingly opting to be paid in cryptocurrencies which could leave companies vulnerable to unpredictable swings in asset value.

In the wake of devastating, widespread attacks like WannaCry and NotPetya, organisations should consider the long-term implications of cost-cutting methods when dealing with cybercrime.

Fortunately however, NTT Security’s report states that many organisations across the globe are heavily investing in security. Firms in US allocated 21.26% of the budget to invest in security. Meanwhile, 63% of organisations in the UK have an incident response plan. In comparison, 59% of organisations in the US and 51% of organisations in Australia have an incident response plan.

"While it's encouraging that many organisations are prepared to take a long-term, proactive stance, there are still signs that many are still prepared to take a short-term, reactive approach to security in order to drive down costs," said Kai Grunwitz, Senior VP for EMEA at NTT Security, ZDNet reported.