The stock exchanges have security, said Stiennon, "however, they're not ready for the kind of DoS attack that could be launched against them. The only question is: Can somebody pull it off and extort enough money to make it worth their while to attack them.
"I believe that in the not too distant future (stock exchanges) will suffer those kind of attacks."
"My gut feeling is, if you're a manager and you're in a position where you could make a problem go away and buy yourself enough time to fix a hole, your going to pay that," said Lyon. "The problem is, once you start paying, it gets around in those communities that you will pay and then you become a bigger target."
That's why Charlie Johnson, who leads Symantec's Global Consulting Group, always advises his clients to contact law enforcement instead of caving to the demands extortionists. Of course, this could be pretty inconvenient and expensive if sensitive databases are encrypted and held hostageespecially given the poor state of cooperation between international law enforcement agencies.
Yet, even Johnson who agrees with Lyon, admits many companies will pay the money just to get their servers back on-line as fast as possible.
"What were still finding is they're very reluctant to bring law enforcement in to help them with it. the really smart ones will bring in law enforcement because, if you don't shut it down, they'll keep coming back."
And therein lies the heart of the problem and very good indication that most companies pay, said Stiennon. "The way you can tell (if companies pay) is if the attacks continue. I believe, just from conversations with bankers, they would cave in a minute to demands for money to stay up."