30% of security professionals surveyed said they're willing to negotiate with cyber-criminals to recover stolen or encrypted data.
… Especially Among Repeat Victims
That figure rises to 55% among companies that have already fallen victim to cyber-extortionists.
Keeping Up With the Joneses
86% of respondents said they believe other organizations negotiate with cyber-criminals.
Treasured Data
When asked which types of data they'd be most likely to negotiate for, employee data was the most cited (37%), followed by customer data (36%) and intellectual property (30%).
Perception Is Reality
66% of respondents are concerned about negative reactions from customers and/or employees if they learned that no effort was made to negotiate the return of their data.
Government Involvement Welcome
44% said the government should be granted immediate access to corporate networks in response to cyber-extortion attempts, and 38% said it should offer guidance to companies.
Insurance Should Help
59% of respondents said cyber-security insurance policies should provide for a third party to negotiate for the return of stolen or encrypted data.
Email Tops Threat List
When asked which threat vectors concern them most, respondents cited email as the greatest threat (31%), followed by insiders (28%) and the Web (27%). Mobile (7%) was a minor concern.
Not There Yet
49% of respondents said their organization has invested in the technologies and processes needed to protect against cyber-threats, but 46% of them said they must do more.
The meteoric growth of cyber-extortion as a prominent threat faced by enterprises has raised a new ethical conundrum for information security executives: to negotiate or not to negotiate? As extortionists have become more creative and precise in their theft and ransoming of valuable business data, what was once unthinkable—negotiating with criminals—has increasingly become standard practice. In fact, it's so standard that nearly one-third of security professionals surveyed are willing to play ball with cyber-criminals in order to get valuable data back. Such is the stand-out finding of a recent survey conducted by threat prevention software vendor ThreatTrack Security. "A surprising number of security pros would concede to cyber-criminal demands to avoid the consequences of data compromise, loss or misappropriation," said Stuart Itkin, ThreatTrack senior vice president. By re-evaluating their security strategies to ensure rapid detection and elimination of threats, as well as the ability to restore encrypted data, Itkin said that enterprises "will neutralize the incentives that are driving cyber-crime extortion and help ensure security professionals will not have to face this difficult choice."
Tony has been writing about the intersection of technology and business for more than 20 years and currently freelances from the Grass Valley, Calif., home where he and his wife are raising their two boys. A 1988 graduate of the University of Missouri-Columbia School of Journalism and regular contributor to Baseline since 2007, Tony's somewhat infrequent Twitter posts can be found at http://twitter.com/tkontzer.