Should Your Company Start Setting Aside Funds to Negotiate With Cyberextortionists?


Should Your Company Start Setting Aside Funds to Negotiate With Cyberextortionists? by @HRTMExec

At first glance, the answer may seem quite cut and dry: You never negotiate with criminals, and that includes cybercriminals. However, if you consider how many companies have been breached, the likelihood of it happening to your organization, and the lack of viable alternatives, negotiating doesn’t seem like such an outrageous idea.

A ThreatTrack Security white paper reveals that 30% of security professionals are willing to negotiate with cybercriminals. ThreatTrack Security helps organizations identify and stop Advanced Persistent Threats (APTs), targeted attacks, and other sophisticated malware designed to evade traditional cyber defenses. The company commissioned a blind survey of 250 security professionals who worked at mid-market companies with 500 to 2,500 employees.

When asked about negotiating with cyberextortionists:

  • 30% would negotiate
  • 70% would not negotiate
  • 85% believe that other organizations have negotiated with cyberextortionists

However, 38% have already been victims of cybercrimes, and among those who have been targeted:

  • 55% would negotiate
  • 43% recommend setting aside funds for negotiating with cybercriminals who steal, encrypt, or threaten to sell their data

In addition, 22% of all respondents said it would depend on the type of data. When asked the types of data they would be willing to negotiate for:

  • 37% would negotiate for employee data (social security numbers, salaries, addresses, etc.)
  • 36% would negotiate for customer data (credit card number, passwords, email addresses, etc.)
  • 30% would negotiate for intellectual property (product design, software code, R&D, etc.)
  • 26% would negotiate for confidential executive communications
  • 22% would negotiate for financial data (earnings, reports, M&A activity, etc.)

The respondents have varying opinions regarding the role of the government in cybercrime extortion investigations

  • 44% said the government should be notified immediately and granted complete access to corporate networks to aggressively investigate any cybercrime extortion attempts
  • 38% said the government should establish policies and offer guidance to companies who fall victim to cybercrime extortion
  • 30% said companies should have the option of alerting the government to cybercrime extortion attempts made against them
  • 10% said the government should make it a crime to negotiate with cybercriminals

Regarding their chances of becoming victims:

  • 75% believe all companies are a likely target for cybercriminals because they believe “all organizations are targets/have valuable data” and or/they have “experienced at least one data breach or attempted breach”

We asked Stuart Itkin, Senior Vice President at ThreatTrack Security if he would ever recommend negotiating with cyberextortionists. “As distasteful as it is, this is a question that every organization needs to ask itself. In my opinion, you can never trust cyber-extortionists to hold up their end of the bargain. Back up your data and invest in the latest cyber defense to minimize your exposure to this risk.”

Itkin says that security pros at organizations that have already been targeted by cybercrime extortion are more willing to negotiate. “Clearly, their experience has led them to conclude that negotiation – when compared to losing their data – is the lesser of two evils.”

However, he says it is important to note that cyber-extortion can take on many forms. “For example, there’s ransomware (malicious programs) that can encrypt your data in exchange for payment. If you don’t pay, you lose your data. This is generally about $500 per incident, so in many cases organizations pay the ransom. However, on the extreme end, there are cybercriminals with different agendas, demanding larger sums (or even a change in a company’s behavior in the case of activist hackers) to return stolen data – keeping it from being sold or disclosed publicly like we saw with the Sony breach.”

He also says that many companies may negotiate out of fear of backlash. “A full 66% of security professionals said they worried about the negative reaction of customers and employees whose data were compromised if they learned their organization chose not to negotiate with cybercriminals for its return after a breach was disclosed.”

So how can HR partner with IT to avoid becoming cybercrime victims? Employee security education is the key. “Even the most well-defended network using the latest cyber defenses can be breached if an employee clicks the wrong link. Organizations need to make employee security education a priority and engage employees to ensure that cybersecurity becomes part of their culture.”

Related posts:

Leave a Reply