Should Companies Negotiate With Cyber-Criminals?

By Tony Kontzer

1 of

Should Companies Negotiate With Cyber-Criminals?

By Tony Kontzer
Negotiation Is in Play …

30% of security professionals surveyed said they're willing to negotiate with cyber-criminals to recover stolen or encrypted data.
… Especially Among Repeat Victims

That figure rises to 55% among companies that have already fallen victim to cyber-extortionists.
Keeping Up With the Joneses

86% of respondents said they believe other organizations negotiate with cyber-criminals.
Treasured Data

When asked which types of data they'd be most likely to negotiate for, employee data was the most cited (37%), followed by customer data (36%) and intellectual property (30%).
Perception Is Reality

66% of respondents are concerned about negative reactions from customers and/or employees if they learned that no effort was made to negotiate the return of their data.
Government Involvement Welcome

44% said the government should be granted immediate access to corporate networks in response to cyber-extortion attempts, and 38% said it should offer guidance to companies.
Insurance Should Help

59% of respondents said cyber-security insurance policies should provide for a third party to negotiate for the return of stolen or encrypted data.
Email Tops Threat List

When asked which threat vectors concern them most, respondents cited email as the greatest threat (31%), followed by insiders (28%) and the Web (27%). Mobile (7%) was a minor concern.
Not There Yet

49% of respondents said their organization has invested in the technologies and processes needed to protect against cyber-threats, but 46% of them said they must do more.
View All Slideshows >

The meteoric growth of cyber-extortion as a prominent threat faced by enterprises has raised a new ethical conundrum for information security executives: to negotiate or not to negotiate? As extortionists have become more creative and precise in their theft and ransoming of valuable business data, what was once unthinkable—negotiating with criminals—has increasingly become standard practice. In fact, it's so standard that nearly one-third of security professionals surveyed are willing to play ball with cyber-criminals in order to get valuable data back. Such is the stand-out finding of a recent survey conducted by threat prevention software vendor ThreatTrack Security. "A surprising number of security pros would concede to cyber-criminal demands to avoid the consequences of data compromise, loss or misappropriation," said Stuart Itkin, ThreatTrack senior vice president. By re-evaluating their security strategies to ensure rapid detection and elimination of threats, as well as the ability to restore encrypted data, Itkin said that enterprises "will neutralize the incentives that are driving cyber-crime extortion and help ensure security professionals will not have to face this difficult choice."

This article was originally published on 2015-05-20

Tony has been writing about the intersection of technology and business for more than 20 years and currently freelances from the Grass Valley, Calif., home where he and his wife are raising their two boys. A 1988 graduate of the University of Missouri-Columbia School of Journalism and regular contributor to Baseline since 2007, Tony's somewhat infrequent Twitter posts can be found at http://twitter.com/tkontzer.

Should Companies Negotiate With Cyber-Criminals?

Should Companies Negotiate With Cyber-Criminals?

Negotiation Is in Play …

… Especially Among Repeat Victims

Keeping Up With the Joneses

Treasured Data

Perception Is Reality

Government Involvement Welcome

Insurance Should Help

Email Tops Threat List

Not There Yet