40% of Consumers Hold CEO Personally Responsible for Ransomware Attacks

June 17, 2020

Two-fifths (40%) of consumers hold business leaders personally responsible for ransomware attacks businesses suffer, according to global research from Veritas Technologies.

Furthermore, research shows the public often wants restitution from businesses that fall foul of ransomware - with 65% of respondents wanting compensation, and 9% even wanting to send the CEO to prison.

Simon Jelley, vice president of product management at Veritas Technologies, said: “As consumers, we are increasingly well-educated about ransomware, so we’re unforgiving of businesses that don’t take it as seriously as we do ourselves. The two most essential things that businesses should have in place, according to their customers, are protection software (79%) and backup copies of their data (62%). Now, it seems, if businesses don’t get these basics right, consumers are ready to punish their leadership.”

The research, covering six countries and 12,000 consumers, also appears to show a paradox when it comes to paying ransoms. Most people (71%) want companies to stand up to cyber-bullies and refuse to pay ransoms to get data back. However, when the issue becomes more personal, with a direct threat to their own data, many people change their minds and want the businesses they buy from to negotiate. When it comes to financial data, 55% of respondents want suppliers to pay the ransom to facilitate the return of records.

Jelley said: “It may seem that businesses are in an impossible situation with consumers telling them both to pay – and not to pay – ransoms. However, what we, as customers, are really saying is that we want businesses to escape the dilemma by avoiding the situation in the first place. Consumers expect businesses to have the technology in place to restore their data without negotiating. That’s the win-win solution and, considering the likely brand damage and loss of customers that come with failing to put this into practice, the risk is simply too big for companies not to have this aspect of their systems in place.”

In fact, the study shows how some consumers quickly lose patience with companies that risk data through ransomware attacks. Almost half of respondents (44%) would stop buying from a company that had been the victim of such a crime.

The research, covering consumers in China, France, Germany, Japan, the UK and the USA, uncovered some interesting patterns that emerge from country to country:

In China, people have the highest tendency to change their minds on negotiating with cybercriminals, when it’s their own critical information. While 80% of respondents believe businesses shouldn’t negotiate in general, when it becomes a personal issue of recovering their own data, that number drops sharply to just 16%.

Brits have the strongest feelings about standing up to cyber-bullying demands, with 81% believing businesses should not negotiate with criminals.

The French seem to be the most forgiving respondents from surveyed countries, with less than one quarter (24%) wanting to blame company heads, just over half (55%) believing only criminals can be blamed for ransomware attacks, and only one-third (36%) considering dropping a company’s services after an attack.

Inversely, the Japanese and Chinese are the least forgiving, with 49% and 51% dropping company services after an attack, and China looking to blame business heads directly (66%).

Germans are most vociferous about harsh punishment for leaders following an attack, with 29% of those who blame the leaders seeking a prison sentence.

In contrast, in the United States, the most common attitude for those blaming leaders is to seek fines as punishment (41%).

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.