While most of the decision makers would likely prefer to hear a simple yes or no when asking if they should pay, nothing in security is simple. By and large, the position of many leaders in the industry is that the ideal situation is not to pay.Security experts across the industry would like to see all enterprises, large and small, be prepared for a hit so that they can recover their data without paying a ransomware fee. The question of whether to pay the ransomware fee is tricky, though, as sometimes organizations are left with no other options.When asked whether companies should ever pay a ransomware fee, Ryan Manship, security practice director at RedTeam Security said, \u201cThe first thing about ransomware is that it\u2019s in many ways like terrorism. The US has a policy not to negotiate with terrorists. Where does that come from? Why does it exist? The reality is, you can\u2019t trust the bad guys. You can\u2019t trust them to do what they say they are going to do, which is to give back access to your data.\u201dThe first thing about ransomware is that it\u2019s in many ways like terrorism. The US has a policy not to negotiate with terrorists.Ryan Manship, security practice director at RedTeam SecurityTrue, there is the issue of being able to trust that this is a single payment that will result in the return of data as promised, but enterprises that are hit with ransomware also experience the hard fact that a hit can make your most critical information inaccessible and in some cases not recoverable at all.\u201cSome people might argue that paying is a viable option at that point,\u201d Manship said. In paying though, they also have to consider whether they can trust the bad guy is going to keep their word. Certainly, this act of holding their data hostage could become a continuous cycle.Manship said, \u201cThere is no evidence that decrypting data means they are out of your system. Are they going to give you the key? How many times are they going to try to extort money out of you until they laugh and walk away and you are out of luck?\u201dDetermining whether or not to pay is a call much easier made in the hypothetical. Hospitals have been frequent targets of ransomware attacks of late, which presents a precarious situation for those who have to weigh out the risks and rewards of recovery. One extreme consequence of being hit by ransomware for the healthcare industry is that downtime could directly impact patient health.Though it\u2019s likely little help to say that every situation is different, Manship said, \u201cI don\u2019t presume to be able to predict the right action when people\u2019s lives are on the line. I can\u2019t presume to suggest the right course of action. Still though, I have to suggest that we don\u2019t recommend that course of action because it sets a precedent and that\u2019s a dangerous precedent to set.\u201dNo industry wants to set the precedent that they are the most lucrative target, which is why having a conversation in strict black and white terms of paying or not paying isn\u2019t feasible. \u201cEvery organization is different,\u201d said Sean Mason, director, threat management and incident response, Cisco Security Services.Government agencies and private enterprises have two very different ways of looking at the world. Mason said, \u201cFor government agencies ransomware is terrorism versus the private enterprise that has an obligation to their shareholders and customers.\u201dWhether to pay a ransomware fee really depends on what type of organization they are because if an attacker can come in and essentially shut them down, that is a significant impact with costly repercussions. Understanding the impact of what has happened to the organization is important and ought not to be clouded by fear.Many do share the concerns of Mike Hanley, director of Duo Labs at Duo Security who spoke about the continued attacks on hospitals. Hanley said that these attacks can directly impact patient health, but Mason isn\u2019t as convinced that there is a correlation.\u201cIt\u2019s easy to say that a hospital got hit and patient lives are at risk, but that is not necessarily the case. It can be down the road, but I have not read about or seen one where patient lives were at risk,\u201d said Mason.\u201cI think there are a number of cases where they should pay, and I say that unfortunately. If there is an impact to human life, that\u2019s a no brainer. You pay the ransom,\u201d Mason said.\u00a0Criminals prey on the fear of their victims whether the ransomware impacts patient health or shareholder profit. They know that every minute without access translates to some sort of loss, and they rely on the hope that their victims will pay, which is why paying should be a last resort.Taking a firm stand that nobody will ever pay is not realistic or even feasible as proven by the fact that ransomware is a viable business model for criminals. \u201cIt works,\u201d said Mason, \u201cand to unilaterally say we won\u2019t pay again is not in the realm of possibility.\u201dInstead, enterprises should prepare themselves for an imminent attack so that they are well placed to recover and move on. Lance James, chief scientist at Flashpoint, noted that ransomware is a symptom of a bigger problem.[ ALSO ON CSO: 11 ways to fight off ransomware ]\u201cThere is malware that comes in before the ransomware drops in, like Pony, Dridex, or other information stealing malware, so those systems are already infected and they are stealing other data as well,\u201d James said.Many enterprises should be able to quickly recover without having to pay. \u201cPaying is ill advised. There is already a security flaw if they are getting in the door. Hopefully those who have already been attacked will focus on thinking about the ransomware hit as a problem in their environment,\u201d James said.For those who have yet to be victims, treat a potential ransomware attack as they would prepare for a server crashing. James said, \u201cThey need to be thinking about which files matter, and if those are captured, do they have another way to get them.\u201d Have redundant copies of every file, shadow copies, and take that data and keep it off the network and safely away from the ransomware.\u00a0Criminals are making a lot of money with ransomware attacks because they are playing a game of psychological warfare with their victims. Rather than pay the fee to them, pay in advance to defend at the endpoint, or pay a trusted forensics team to help with recovery. The bad guys know that no one wants to look like a fool, which is why, James said, many people have actually lied about being hit and paid the fee quietly.Rather than succumb to the psychological coercion, James said, \u201cThere needs to be more situational awareness. It\u2019s OK to get hit. It\u2019s OK to talk about it, and it\u2019s OK to have a plan and to not hide it. The alternative is that they are creating a hot spot for ransomware getting worse when criminals realize what else they can make people do whether that means blackmail or causing the company harm."Organizations need to remember that just because they pay the ransom, doesn\u2019t guarantee they will get their data unlocked or unlocked with not further impact. They are, after all, dealing with criminals.