Are you aligning your company’s controls with the business to ensure that your company is not paying $3 million dollars to protect a $51K asset?

Leave a reply

Of course, I think that majority of the people reading this blog post wouldn’t find the situation eluded to in the title of this blog post a dilemma. This is InfoSec 101 material. However,  I read an interesting blog post by Kevin Townsend at securityweek.com that makes you think about this building block InfoSec principle:

Over the course of the last week, it has become apparent that the City of Atlanta, Georgia, has paid out nearly $3 million dollars in contracts to help its recovery from a ransomware attack on March 22, 2018 — which (at the time of writing) is still without resolution.

Precise details on the Atlanta contracts are confused and confusing — but two consistent elements are that SecureWorks is being paid $650,000 for emergency incident response services, and Ernst & Young is being paid $600,000 for advisory services for cyber incident response. The total for all the contracts appears to total roughly $2.7 million. The eventual cost will likely be more, since it doesn’t include lost staff productivity nor the billings of a law firm reportedly charging Atlanta $485 per hour for partners, and $300 per hour for associates. The ransom demand was for around $51,000.

The ransomware used in the attack was SamSam. In February this year, SecureWorks published a report on SamSam and attributes it to a group it knows as Gold Lowell. Gold Lowell is unusual in its ransomware attacks since it typically compromises its victim networks in advance of encrypting any files. 

….

However, the few facts that are known raises a very complex ethical issue. Atlanta seems to have chosen to pay nearly $3 million of taxpayer money rather than just $51,000, possibly on a point of principle. That principle is supported by law enforcement agencies around the world who advise that ransoms should not be paid. In this case, the sheer disparity between the cost of the ransom and the ransomware restitution (more than 50-to-1 and growing), all of which must be paid with someone else’s money, makes it reasonable to question the decision.

 

Actions

  1. Have you decided what you will do during a ransom attack?  Do you have supporting procedures?
  2. Are you aligning your company’s controls with the business to ensure that your company is not paying $3 million dollars to protect a $51K asset (unless your company supports this time of wasteful behavior).

Leave a comment