Whether to pay ransom to kidnappers is a hotly contested question. Failure to do so endangers the lives of hostages. But it might also discourage future kidnappings. What to do?

A similar debate is raging around the subject of ransomware attacks on organizations. Should victims pay to recover their private data? Or does giving in to ransom demands encourage criminals to double down on the practice?

The FBI, for one, discourages payment. Doing so “may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware and/or fund illicit activities,” the agency says. “Paying the ransom also does not guarantee that a victim’s files will be recovered.”

In addition, the payment of ransom might expose victims to sanctions. According to the U.S. Treasury Department, “In the U.S., while there is no outright law that makes paying ransomware demands illegal, there are in fact significant legal and financial risks associated with making such payments.”

So: Is a “no-concessions” policy a sensible response to a ransomware attack? Most victims don’t have the nerve to try it. But it’s an option in cases where the targeted person or organization has safely backed up their files, says Chris Denbigh-White, chief security officer with Next DLP, provider of a data-protection software platform. Then it’s more a matter of inconvenience than permanent and devastating loss of data. (There remains the possibility of damage to reputation, though, if the exposed information is especially sensitive or embarrassing.)

The nature and intent of ransom attacks is changing, Denbigh-White says. In their early form, they often involved blocking access to essential data, then offering a “key” to unlocking it upon receipt of payment. These days, however, attacks may also involve the outright theft of data, for purposes other than pure profit.

“The real threat,” says Denbigh-White, “is that I have all your sensitive data and I’m going to leak it over the internet.” Victims could then become subject to penalties for violating consumer data-privacy laws, such as the European Union’s General Data Protection Regulation (GDPR), as well as lawsuits by private individuals.

It's a high price to pay, no matter how the victim chooses to react. Denbigh-White acknowledges the logic of denying criminals a reward for their actions. But that’s “logical in a vacuum,” he says. “Anybody with a grasp of what the world is like isn’t being practical in the short run. When criminals’ revenue streams are threatened, they don’t simply pack up and get jobs at Walmart. What they tend to do is intensify their efforts and get more nasty.”

In theory, businesses and individuals at a higher risk of loss could ask regulators for a disclaimer that shields them from the punitive consequences of paying ransom. Again, says Denbigh-White, that might seem logical on the surface. “But all it does is paint a target on industries known to have the ability to pay ransom.”

The better approach lies in adopting effective measures that prevent bad actors from penetrating systems in the first place. “Rather than making ransom payments illegal,” Denbigh-White says, “we need to create a digital safe working environment for all companies to operate in.” And while that may be of little value to entities under attack, it’s a solid strategy for addressing the problem in the longer run.

“It starts with the basics,” he says. The means of repulsing most types of cyber-attack are generally available today. They include applying multi-factor authentication of systems and people, ensuring that employees remain vigilant about not clicking on suspicious messages or bringing to work unprotected personal devices, and undertaking regular updates and patching of security software. And, of course, there’s no lack of cybersecurity experts who stand ready to advise on the most effective measures for preventing all types of attacks.

Why, then, do so many organizations remain susceptible to cyberattack? Why won’t they take the necessary and obvious steps to shore up their systems? “These things are fundamental and basic,” explains Denbigh-White, “but they’re difficult and not interesting to do.” That’s especially the case with a multinational concern employing thousands around the globe and a host of legacy IT systems.

“People tend to conflate fundamental with easy,” Denbigh-White says, “and it’s certainly not easy.” He likens the problem to individuals who know that regular exercise and a good diet will help them to live longer, but fail to adopt those measures.

Denbigh-White nevertheless believes businesses are waking up to the need to embrace effective cybersecurity practices. They’re motivated in part by the adoption of strict consumer-privacy regulations such as GDPR. And, thanks to a raft of news stories, they’re fully aware of the nightmare that ensues when a business comes under attack from ransomware.

All of that “has brought the conversation to a head,” Denbigh-White says. “I’m quietly confident that we are slowly moving in the right direction.”