The Cost of failed prevention

The Cost of failed prevention

Paying cyber criminals is not incident response – it is the cost of failed prevention

Instructure’s latest update says the company reached an agreement with the unauthorised actor involved in the incident. According to the statement, the data was returned, Instructure received digital confirmation of destruction through “shred logs,” customers will not be extorted, and individual customers do not need to engage with the actor directly.

That may sound reassuring, and Instructure did sound confident. But it should not be treated as closure.

The uncomfortable question is what an “agreement” with a cybercriminal actually means. If money was paid, or if any valuable concession was made, then the organisation has not simply resolved an internal crisis. It may also have helped finance the criminal economy that created the crisis in the first place, and maintain other, much more nasty criminal activities (e.g., people smuggling, drug trafficking, paedophilia, money laundering).

Law enforcement has warned about this for years. The FBI says paying a ransom does not guarantee that an organisation will get its data back, and that payment encourages attackers to target more victims and incentivises others to join this type of crime. CISA has also warned that some victims who pay are targeted again, extorted for more money, and that payment can encourage the ransomware business model.

That is the real problem with relying on “assurances” from criminals. Once data leaves an organisation’s environment, control is lost. A shred log may show that one copy was deleted from one system, by one actor, at one point in time. It cannot prove that the data was never copied, cached, shared, sold, transferred to affiliates, or retained for future leverage.

This is why paying does not end the risk. It can mark the victim as someone willing to negotiate. It can tell other criminals that the organisation is sensitive to pressure. It can also create a roadmap for future attacks: which data mattered, which customers created reputational pressure, and what kind of threat forced the organisation to respond.

Body Image of Instructure Breach

The bigger issue is how organisations get into this position in the first place. In many cyber incidents, ransom payment is not a strategy. It is the final consequence of years of underinvestment: weak vulnerability management, delayed patching, poor monitoring, overexposed systems, insufficient segmentation, weak identity controls, inadequate third-party oversight, and untested backups.

These controls are not exotic. At RightSec, we tell organisations on a daily basis to keep operating systems, software, and applications up to date; run updated anti-malware tools; back up data regularly; verify that backups work; secure backups away from the main network; and maintain a continuity plan. In other words, the cheaper and more effective response is usually prevention: patch before compromise, monitor before exfiltration, and recover from clean backups before criminals control the negotiation.

Whilst backups do not undo a data theft, they do reduce the pressure to pay when systems are encrypted or operations are disrupted. Vulnerability and patch management reduce the chance that attackers get in at all. Strong access controls and monitoring reduce how far attackers can move. Segmentation and strong access controls limits damage. Encryption limits what can be read. Tested incident response plans stop panic from becoming policy.

The human impact should not be minimised either. In an education platform, breached data is not just “names and emails.” It may include identifiers, communications, behavioural records, relationships, and contextual information about students, staff, and institutions. Even when financial data or passwords are not involved, that information can still be used for phishing, impersonation, harassment, social engineering, and future extortion.

So, the lesson from this incident should not be: “The data was returned, therefore the problem is over.”

The lesson should be: an organisation that ends up depending on a criminal’s promise has already lost control of the situation.

Paying may buy time. It may reduce immediate public pressure. It may even prevent a leak in some cases. But it does not buy certainty, and it does not repair the security failures that made the payment attractive or necessary in the first place.

When organisations neglect basic cyber hygiene, the eventual cost is not only financial. Customers, students, staff, and the public absorb the risk, while organised cybercrime gets paid.

That is not incident response. That is a transfer of consequences from the organisation that failed to protect the data to the people whose data was exposed.

If it’s not over yet, what to do next?

If you are one of the impacted organisations currently responding to this incident: Hold your overly confident comms! Continue with caution, always monitoring for leaks and phishing, and communicate clearly and realistically with affected communities.

Ready to get started?

Find out how RightSec can help your organisation enhance
their cyber security resilience.

Contact Us
Headshot of founding director Virginia Calegare

Virginia Calegare - Author

Founding Director, Head of Strategy and IR

Cyber Security Services

Illustration of a hacker device, representing cyber threats and the importance of cybersecurity defense mechanisms.

Cyber Strategy and Consulting

Expert guidance on how to safeguard your organisations valuable assets and reputation.

Icon representing domain registration, highlighting the importance of securing digital assets and online presence in cybersecurity.

Managed Security Services

RightSec's 24/7 managed security services will give your business the visibility and coverage needed.

Target icon symbolizing cybersecurity risk management and the identification of vulnerabilities in digital systems.

Penetration Testing and Red Teaming

Identify security weaknesses and take proactive measures to improve your security posture.

Cybersecurity flyer with key service offerings, promoting RightSec’s expertise in protecting businesses from digital threats and vulnerabilities.

Governance, Risk and Compliance

Assess your organisation's resources and validate the adequacy of your capabilities to manage Cyber Risk.

Startup icon symbolizing innovative cybersecurity solutions designed to protect new and growing businesses from digital threats.

Digital Forensics and Incident Response

RightSec’s IR team is available round the clock to provide immediate assistance to on-going incidents.

Business icon in black, representing professional cybersecurity services tailored to protect business operations and digital assets.

Team Augmentation

Augment your team with RightSec Cyber Security experts, to meet the growing demand of Cyber Security.

Small & Medium Business

Today’s threat actors know that small and medium businesses often have valuable data, trusted customer relationships, and fewer dedicated cyber security resources.

Customer-centricity icon illustrating a focus on client needs and personalized cybersecurity solutions to ensure business protection and success.

Auditing and Gap Analysis

We will help you evaluate your existing security controls and identify any vulnerabilities that may exist.

Reliability icon representing dependable cybersecurity services that ensure consistent protection and secure operations for businesses.

Security Awareness and Training

Our methodology leverages decades of experience in identifying and analysing threats, tailoring campaigns to educate stakeholders and users on threats an organisation may be facing.