#hacking | Negotiating with cybercriminals: Why and how to do it – CSO

Credit: ID 105614885 © Vectoraart | Dreamstime.com

More than 23,000 Australian businesses fell victim to cyber incidents in 2019. Whether through ransomware, data theft, or a distributed denial-of-service attack (DDoS), criminals demanding money from organisations in exchange for the return of data or business operations continues to be a common occurrence.

While Australian companies wait for the Morrison government’s cyber counterattack laws to come into effect, those affected by cyberattacks that can’t fight back are often on their own when negotiating with cybercriminals.   

Now, this is not something your average citizen is trained to do. But as the cost of cybercrime in Australia this year gears up to exceed the billion-dollar mark by Christmas, it seems that a new attitude to handling data breaches may be crucial. 

In fact, the number of ransomware attacks around the world doubled in 2019. When medical records at the Melbourne Heart Clinic were held at ransom earlier this year, it wasn’t just data and finances that were impaired – criminals managed to tap into the centre’s patient care, business operations and reputation – an unfair outcome for an institution built on saving lives. 

And too many other companies have had similar experiences. But more worrying than the statistics themselves perhaps, is the fact that 52% of companies are simply paying the demands sought by cybercriminals outright – to avoid reputational or operational damage. 

Paying isn’t the only option

There are three reasons why you shouldn’t pay a cyber-criminal. Firstly, there’s a high chance that they’ll attack you again if you prove to be profitable. Secondly, and far more practical, many cybercriminals often don’t actually unlock your data, even if you pay them. After all, what incentive do they really have? They don’t care about reputation as a business or their customer sentiment. They have no obligation to keep their uphold of the deal. And finally, if nobody ever paid them, they would stop doing it.

It can become somewhat of a catch-22 situation. Choosing to simply not pay could lead to heavy losses in data and reputation. But paying isn’t always enough. Negotiating with cybercriminals during a cyberattack is one way forward that’s often overlooked, but it won’t be appropriate in every situation.

Conflict is not part of the job description for most people, and we often shy away from heavy discussions, especially if the outcomes are potentially negative or difficult. Plus, why you should negotiate if you aren’t going to pay? 

At its most basic, negotiating can help you buy time while law enforcement steps in to stop or reverse the attack. Entering into a discussion can also make the process hard and time-consuming for the criminal, and potentially deter them from coming to you again. In the worst case, negotiating also allows you to take the simple business decision of how much you can afford to pay back into your own hands. 

So, how do you do it well? 

Source link

Leave a Reply