To Pay or Not to Pay: How to Deal With – and Avoid – a Ransomware Incident