Why do businesses pay ransomware when they have good backups?

Last year, the global damage from ransomware attacks was an estimated $20 billion—the highest yet. Companies around the world were in panic mode, some on the verge of partial collapse, and others already left in ruin. This year has been no different with ransomware attacks on the rise targeting some of the country’s largest industries such as the Colonial Pipeline and JBS Foods, which in turn left many people wondering why companies aren’t doing more to protect themselves?

The truth is, though many companies have backup systems in place for when such emergencies occur, many are unaware of how such systems will work and how they will keep their businesses afloat in the meantime. What’s even more concerning is that large companies like JBS are not the main targets—small businesses are. Many small business owners believe themselves immune to such attacks because they assume their information is relevant to them alone. But organized hackers are not interested in a small business’ data so much as they are interested in holding that data hostage in order to get what they really want—money. The results can be catastrophic for that small business, everything from losing credibility with ones clients and customers to ultimately paying a ransom to cybercriminals that one may never financially recover from. 

Here’s why so many businesses end up paying the ransom and what companies need to do better in the future so they don’t end up in a similar fate:

Do the Math

Unfortunately, though most businesses have backup systems in place for natural disasters or emergency situations, most never take the time to figure out how long it will take to restore their files. These backup systems are complex—not something that can easily be restored within an hour’s time. As a result, cybercriminals are able to decrypt the files sooner than the backup systems can be restored.

The first thing your company must do is establish your RTO (recovery time objective) and your RPO (recovery point objective). Though these terms may sound similar, it is essential for your company to understand the difference.

RTO (recovery time objective) is the amount of time it takes to return to regular business practices after a natural disaster or cyberattack. In many instances, the extortion payment is only half the battle. What companies don’t realize is that the amount of time it takes for them to get back up and running can be just as, if not more, costly. “A steadily growing list of victimized companies have reported that other costs associated with an attack—downtime, lost sales opportunities, angry customers, the expense of attack mitigation and recovery, damage to company brand reputation, penalties for unmet contractual obligations to customers, and fines for non-compliance—make the cost of the ransom look trivial,” says Acronis.com.

That is why it is crucial for your company to identify your RPO (recovery point objective)—the point in time from which you want to recover your data. For example, if your company backs up its systems every day at midnight, the night before will essentially be your recovery point. It’s easy for one to assume that a company would back up its systems consistently—say, every hour. Unfortunately, every time a system is backed up, it creates additional copies of your company’s data and drives up the cost of offsite storage. That is why it is essential your company identify your ideal RPO. If you fail to do so, your business could find itself under complete collapse. Site outages usually cost businesses at least $20k for every day of downtime, with more than a quarter of organizations reporting that one day of downtime would cost over $100k. Once an organization sees how detrimental one day of downtime is to their company, many will give in and pay the ransom to keep their organization from going under. 

Paying the Ransom Sets Up a Harmful Precedent

Paying the ransom is the last thing a company should do, but it is a decision that doesn’t come lightly. The FBI is just one of the top agencies that does not support paying a ransom in response to a ransomware attack. FBI Director Chris Wray recently pleaded with the public to avoid paying ransom money at all costs: “In general, we would discourage paying the ransom because it encourages more of these attacks, and frankly, there is no guarantee whatsoever that you are going to get your data back.” The Forbes Technology Council predicted that by the end of 2019, businesses would fall prey to a ransomware attack every 40 seconds. These numbers have only gotten worse since then. As a result, the FBI has seen cybercriminals ask for nearly triple the amount of money they have in previous years. Organizations no longer have the luxury of steering clear of such attacks on good faith and unchecked recovery processes. 

But when companies fail to determine their RPO and RTO properly, some feel as if they have no other choice but to pay the ransom. Yet, preparing and bypassing such attacks is not impossible. All of these issues can be resolved with specific and detail-oriented action plans in place for how to handle such emergencies. 

Have a Business Continuity Plan

The best thing your organization can do to protect itself against a cyberattack is to have a business continuity plan—a detailed outline of how your business will operate during short and long-term disruptions. This document will summarize your company’s processes, assets, personnel, partners, customers, and more—every aspect of the business that might be affected. 

A business continuity plan is sometimes misidentified as a disaster recovery plan, but it is much more comprehensive. A disaster recovery plan mainly covers IT infrastructure and processes. That is why in the face of such large-scale disasters, it is imperative to have a thorough business continuity plan that covers every corner of the company. Once a disaster strikes, it is impossible to go back and plan a response. In order for your organization to survive a cyberattack without paying the ransom, you must be proactive. Otherwise, you risk losing everything you built.

Advantages to Having a Business Continuity Plan

The entire business landscape has changed with 13% of small business owners saying they rely more on technology than ever before due to the Covid-19 pandemic. With so many businesses now operating within a digital landscape, business continuity plans offer far more advantages and solutions with greater capabilities than in previous years. If your company is one of the hundreds of thousands of businesses that has now transitioned to a remote work environment, it is crucial to not only review, but reframe your plans for business continuity.

Review Your Current Plan

In order to avoid paying ransomware, the first thing your business must do is review its current business continuity plan. Pay attention to these six areas of development:


  1. Define the scope of your work: What does the plan cover and what are its objectives?
  2. Identify essential business areas: What are the elements of your business that are vulnerable to attack? (For the most part, this will include every department likely to be affected by the attack).
  3. Identify critical functions: What are the most vital operations of your business? 
  4. Compare the business areas and functions: How are these systems integrated and how do they function alongside one another?
  5. Identify the RPO for each function: How much downtime is acceptable without sustaining too much financial risk and company reputation?
  6. Design a plan to maintain operations and minimize downtime: After assessing and evaluating your strategy, how can the plan be shared with individual stakeholders so that when an attack occurs, all parties involved will understand and undertake their given role(s)?

Reframe Your Current Plan
In reaction to Covid-19, we can look at your current business continuity plan and offer greater peace of mind and better forecasting for the tough times ahead with these four new areas of development:


  1. More comprehensive, solution-based capabilities: While past solutions relied on physical storage with slower response times, today’s options are greater with much more fluidity and connectivity.
  2. Minimal to no downtime: With the high cost of downtime being one of the number one reasons companies submit to paying ransomware, this area was essential to reframe. New business continuity plans ensure that clients and customers experience little to no downtime even while recovering from an attack. 
  3. Unlimited data storage: Backup systems used to be stored in separate facilities, sometimes miles from central business operations. With the advent of cloud networks, data can be stored in architectures that are easily accessible and organized.
  4. Backups for various systems: A modern business continuity plan will provide security to individual systems and hardware to function properly. These solutions will not replace existing systems, but rather, support current systems to maintain operation.

Be Proactive. Be Prepared.

The reason why so many businesses end up paying ransomware when they have good backup systems is because they are not prepared. They either set up backup systems without testing them, or fail to write up a business continuity plan and then scramble in the face of a cyberattack. The best thing your business can do to survive a cyberattack is to be proactive. In our current times, data security and recovery is the last place to cut corners. If you have questions about how to review or reframe your current business continuity plan, contact us today to see how we can be of service.

From Recovery to Resilience: The SMBs Guide to Business Continuity; download now:

Tags: ,