Trust may seem like a distant concept for a small business that has been locked out of their essential systems, however, and taking the moral high ground can be a difficult if not impossible choice. This is why Turner advises that it is "vital" to plan for the handling of "foreseeable" ransomware attacks well before they happen - so that ethical decisions are not made incorrectly in the heat of the moment when files have already been locked by errant ransomware.
"The time to be having a discussion about whether an organisation is prepared to pay ransom, or not, is not in the middle of a successful attack," Turner writes. Devices with little or no valuable information can be wiped with little to no impact, he says, while more-important data can be protected using a business impact assessment backed by appropriate technical controls to prevent, or minimise the impact of, an attack.
Such decisions must be made at the highest levels of the organisation - ideally at board level, Turner says: "It is only with the clarity of this executive decision... that an organisation will have the will to commit to maintenance of technical hygiene and implementation of appropriate controls. It is imperative that business leaders understand why they are committing to this."
Sign up for CIO Asia eNewsletters.