Economically, is it smarter to pay up or hold off?
Ransoms - demanding money for the return of something valuable after illegally taking it - are nothing new. However, as our world has digitalised, it has created a new opportunity for hostage-takers: cyber ransoms. Hackers are taking control of company data and demanding large sums of cash to return access. This is becoming increasingly common. One survey found two-thirds of companies in Western countries suffered a ransomware attack in 2020.
So, should firms pay up? Most of us know from movies to never negotiate with kidnappers, and this is indeed the stance that most national governments and state security services take. There are two reasons why. The first is that paying hackers creates an economic incentive for them to keep on hacking (or for newbies to get into the game). That’s not good for society as a whole, especially because the negative impacts of hacking go beyond causing some financial losses to big businesses. For example, individuals could have their private information leaked and key services could go offline.
The second reason for not paying hackers is that criminals are not bound by any of the usual regulations that protect people engaging in economic transactions. If a shop refused to give you a product after you’d paid for it, you could engage the law and get compensation. If a cybercriminal refuses to release your data after paying their ransom… well, there’s not much you can do about it.
Despite this, in practice a slim majority of firms do fork out the requested cash when cyber-attacked. Unless Liam Neeson is their Head of IT, there’s usually no other way to get their data back, and rebuilding the lost databases from scratch often costs significantly more than the ransom. Not paying up could even mean going bust. There’s wider ramifications to that too, including job losses and disappointed customers.
There's also a problem with the argument that giving in to cybercrime means more of it: it suffers from being what economists call a ‘free rider problem’. Companies know that just because they make the sacrifices that come with not paying the ransom it doesn’t mean other companies will too - in which case they will have lost their data without any of the wider benefits being gained. The usual way to fix the free rider problem is for the state to make participation compulsory. Some people would therefore like governments to make paying ransoms illegal. Others argue that would be an unfair constraint to put on businesses.
Of course, companies that do pay still risk being cheated by nefarious crooks. But that risk isn’t always as big as it may first appear: one study found that 92 percent of businesses that paid their cyber ransom got their info back. That’s because ransomers themselves have an economic incentive to make ransom-paying an appealing option. Future victims are more likely to also pay up if they’ve heard that their peers successfully got their data back that way. Some hackers even provided customer-support-like chat bots to help firms re-access their data.
Read our explainer on: technology and the economy