Negotiating with cybercriminals: Why and how to do it

More than 23,000 Australian businesses fell victim to cyber incidents in 2019. Whether through ransomware, data theft, or a distributed denial-of-service attack (DDoS), criminals demanding money from organisations in exchange for the return of data or business operations continues to be a common occurrence.

While Australian companies wait for the Morrison government’s cyber counterattack laws to come into effect, those affected by cyberattacks that can’t fight back are often on their own when negotiating with cybercriminals.   

Now, this is not something your average citizen is trained to do. But as the cost of cybercrime in Australia this year gears up to exceed the billion-dollar mark by Christmas, it seems that a new attitude to handling data breaches may be crucial. 

In fact, the number of ransomware attacks around the world doubled in 2019. When medical records at the Melbourne Heart Clinic were held at ransom earlier this year, it wasn’t just data and finances that were impaired - criminals managed to tap into the centre’s patient care, business operations and reputation - an unfair outcome for an institution built on saving lives. 

And too many other companies have had similar experiences. But more worrying than the statistics themselves perhaps, is the fact that 52% of companies are simply paying the demands sought by cybercriminals outright - to avoid reputational or operational damage. 

Paying isn’t the only option

There are three reasons why you shouldn’t pay a cyber-criminal. Firstly, there’s a high chance that they’ll attack you again if you prove to be profitable. Secondly, and far more practical, many cybercriminals often don’t actually unlock your data, even if you pay them. After all, what incentive do they really have? They don’t care about reputation as a business or their customer sentiment. They have no obligation to keep their uphold of the deal. And finally, if nobody ever paid them, they would stop doing it.

It can become somewhat of a catch-22 situation. Choosing to simply not pay could lead to heavy losses in data and reputation. But paying isn’t always enough. Negotiating with cybercriminals during a cyberattack is one way forward that’s often overlooked, but it won’t be appropriate in every situation.

Conflict is not part of the job description for most people, and we often shy away from heavy discussions, especially if the outcomes are potentially negative or difficult. Plus, why you should negotiate if you aren’t going to pay? 

At its most basic, negotiating can help you buy time while law enforcement steps in to stop or reverse the attack. Entering into a discussion can also make the process hard and time-consuming for the criminal, and potentially deter them from coming to you again. In the worst case, negotiating also allows you to take the simple business decision of how much you can afford to pay back into your own hands. 

So, how do you do it well? 

Principles for good negotiation

There is always a chance that the person on the other end of the line isn’t as skilled in negotiation as they are in hacking. Take the opportunity to improve your defence response and start with the upper hand. Never negotiate from a position of fear. You may not be in control, but you can set your terms and define your boundaries as much as possible. For example, you could tell the hacker in question that “if you need $1 million, that’s going to take a long time, but I can wire $10,000 to you today.” 

You’ve also always got to know your plan B: what will you do if you can’t agree on a price? What will you do if you pay them, and they don’t give you the key? Have a backup approach, or final figure in mind if it doesn’t go your way. 

Just like buying a used car, you always need to know your walk-away amount. Decide how much you’re willing to give up before you’re on the other end of the line, and whatever that number is, write it on your desk or your whiteboard. If you don’t get that number, you must be willing to walk away, otherwise, it’s not a negotiation — it’s pure extortion.

Take control over your choice of communications channel too if you can. This matters a lot less than getting your tactics and figure right, but I like the idea of having a phone conversation. People are meaner on the internet than on the phone, and meaner on the phone than in-person. There’s a small chance that the more you can generate empathy, the more personal the conversation. After all, while you may feel nervous about your job security or the money involved, this might be your hacker’s income and livelihood. They may be using this crime to feed their children. Approaching them on the phone like a real human being could help them empathise with you too. 

Who should lead negotiations?

Identify who in your organisation has strong negotiation experience. You may have to get creative. Negotiation is a hard skill, and your IT manager might not be the one who has it. Maybe it’s someone in finance, or if you’re a large company, someone in your legal team or mergers and acquisitions department who negotiates for a living. 

Finally, try not to go into any negotiation alone. The first step should always be to involve law enforcement. These are criminals, and in the course of the negotiation, law enforcement may be able to find out who they are and prevent this from happening again. 

The reality is this: The cost of cyberattacks in Australia is set to increase by 52% by 2022. So, while it is all well and good to react appropriately and improve your defence mechanisms, the bottom line is ensuring your security is tight in the first place is the best way to handle cybercriminals. While it might be too late for some, many data breaches can be avoided by preventive measures, such as identity-as-a-service and identity and access management solutions, so you don’t find yourself in this situation.

Joan Pepin is CSO of Auth0, the identity management company for application builders. She is responsible for the holistic security and compliance of Auth0's platform, products, and corporate environment.