Could you shoot someone if you had to?

by Richard Whitby
Written By Richard Whitby

Imagine the situation. Two armed criminals have broken into your property in the middle of the night. You go downstairs to investigate the noise. As you walk into the kitchen you see that one of them has put their gun down on the worksurface as they search through a drawer. The second burglar spots you and begins to raise their weapon. In a split second you grab the gun and aim it at the person threatening your life. Could you pull the trigger?

As an ethical dilemma discussion it’s a mildly diverting question. You might convince yourself that you would pull the trigger, or you might have doubts about whether you could go through with it. But, until you are in a real life-or-death situation, or a close simulation of it, you can’t tell how you will react. Most of us have no way of knowing how our brains will function in such a situation.

Less dramatic, though equally life-or-death in a corporate sense is whether to pay a ransom demand from a cyber attacker. Your organisation is being throttled and you can’t access the data or applications you need to carry on your business, There’s a very real prospect that your organisation will be harmed so gravely that it may never recover. Of course, there’s no guarantee that paying the ransom will result in the attacker releasing their hold. But ransomware protagonists are becoming ever more sophisticated and it’s actually in their best interests to release you once you’ve paid. Ransomware is big business but it only works as a viable (if criminal) business model if word gets around that ‘paying up‘ works. 

The CEO of Colonial Pipeline admits paying $4.4m to release the stranglehold of the attackers and reinstate oil supply to the US East Coast. And meat company JBS reportedly paid $11m to release their data.

The protagonist has probably given you a deadline. All of your grand pronouncements in your ‘ethics  and values’ pages of your website are now thrown into sharp focus. Some people on the crisis team might well say ‘pay up’. Others will be holding the ethical line. The Board will undoubtably have a say in the matter and your insurers will have a view. There are even reports of ransomware gangs emailing customers to increase the pressure to pay.

So, what are you going to do? Rather like the gun situation, it’s far better to do the soul-searching in a simulation than in real life. Many of our clients have simulated these discussions in the cyber exercises that we have run lately. In that way they can pause, reflect and consider the issues in their own timescales rather than those of the criminals. Whatever you do, don’t wait until the real thing happens to examine how your organisation would react.

Richard Whitby
Previous

Is assessing likelhood a mug's game?
Next

Five Steps to Meeting the Crisis Communications Challenge