Half of all businesses would pay off cyber criminals to avoid GDPR fines

30 November 2018 (Last Updated December 23rd, 2019 09:48)

Almost half of all business IT directors would hand over money to cyber hackers in order to avoid the costly fines that come with falling foul of the General Data Protection Regulation (GDPR).

Half of all businesses would pay off cyber criminals to avoid GDPR fines
Just one in five ruled out any possibility of paying off a ransom altogether.

Almost half of all business IT directors would hand over money to cyber hackers in order to avoid the costly fines that come with falling foul of the General Data Protection Regulation (GDPR).

According to a new survey conducted by digital security company Sophos, some 47% would ‘definitely’ be willing to hand over a ransom if it meant avoiding reporting the breach to authorities. Likewise, another 30% said that they would consider paying off the cyber criminals.

Just one in five ruled out any possibility of paying off a ransom altogether.

The survey found those less likely to pay a ransom were small businesses. More than half of respondents from companies with less than 250 employees said that they would pay up. Likewise, only one in 10 from companies with 500 - 750 employees would consider paying a ransom.

The reason for this is likely the consequences that come with breaching GDPR, which would likely be far more costly for larger businesses. Under the new laws, businesses that are found to have failed to protect customer data face a fine of up to €20m or 4% of global annual turnover, whichever is greater, meaning that big businesses face paying much larger amounts than cyber attackers would likely demand.

"Don't pay the ransom"

However, according to Adam Bradley, UK managing director at Sophos, this shows that businesses “misunderstand the threat and consequences” of data breaches. Paying a ransom does not guarantee the safe return of company data, nor does it guarantee that the business will avoid a GDPR fine.

Bradley said:

“It is concerning to learn that so many UK IT leaders misunderstand the threat and consequences of even a minor data breach. Companies that pay a ransom might regain access to their data, but it’s far from guaranteed and a false economy if they do it to avoid a penalty. They still need to report the breach to the authorities and would face a significantly larger fine if they don’t report it promptly.

“‘It is surprising that large companies appear to be those most likely to pay a ransom. It is a mistake for companies of any size to trust hackers, or to expect that they’ll simply hand the data back.

“Our advice? Don’t pay the ransom, do tell the authorities promptly and make sure you take steps to minimise the chances of falling victim again.”

UK businesses among most misinformed

According to the study, businesses based in the UK are more confident that they adequately comply with GDPR. Some 46% of UK-based IT directors said they are confident that their organisations are compliant.

This is higher than the rest of Europe, where the percentage only topped 40% in the Netherlands. Just 37% of businesses in France believe they are fully compliant, as well as 35% in Ireland and 30% in Belgium.

And yet, the study found that UK firms were perhaps not as prepared to deal with cyber threats post-GDPR as they believe. Just 13% of UK-based directors reported that they had tools in place to prove compliance following a breach, compared to 27% in the Netherlands, 24% in France and 20% in Belgium.