With organizations increasingly facing targeted combined ransomware and extortion management needs to think about hiring a professional negotiator to deal with attackers, says a cyber expert.
Dominique C. Brack, principal information security at T-systems International, said Thursday during an online cyber conference called siberXchange staged by Richmond Hill, Ont.,-based siberX, that most enterprises aren’t prepared for those situations. “From my experience enterprises are not quite ready yet.”
Organizations are still debating whether ransomware is part of business continuity, Brack said. But, he added, “in my view, ransomware needs to be a top priority and belongs in a business continuity plan. So if you are a CEO, a CSO, a risk manager, ransomware — including consideration for negotiation — needs to be on your agenda right now.”
Negotiating with an extortionist is “not like haggling over price in a sale,” he added. “In a real situation in a large corporation, it’s complex.” There are a wide range of factors to consider including whether to pay, he said.
“It’s absolutely important to think about negotiations and how it will take place within your company.”
Other panellists included Anne Leslie, a senior managing consultant for IBM Security based in France; Calvin Chrustie, Vancouver-based partner and senior consultant at InterVentis Global, along with his New York City-based partner Timo der Weduwen; and Patrick Wheeler, co-founder of CyberWayFinder, a Belgium cybersecurity training company.
Chrustie and der Weduwen, former policemen who have extensive training in the field, originally formed their firm to represent organizations in hostage negotiations and crisis management. It says something about the current state of online attacks that they now also act for firms in cyber extortions.
der Weduwen a former member of the Netherlands Police and a graduate of Scotland Yard’s international hostage negotiation program who trains UN hostage managers, said there are many similarities between hostage and cyber negotiations: Threats, demands and deadlines.
These crises create a tremendous amount of pressure on management teams, he noted. “It seems it takes away their oxygen, takes away their critical thinking, even their ability to work as a team. So you see a lot of quick decision-making, a lot of emotional reacting while the crisis is going on …
“You need more than a smart person to deal with it [negotiation]. You need a team, you need a concept. And the moment that you work according to a procedure based on the success you can find your way through this crisis and then start using negotiation as a tool” to take control of the agenda.
From the IT side, Wheeler said crisis managers and business continuity experts aren’t good at making management decisions. “Incident responders are lovely technicians and understand the technology, but are not in the position to draw the link with the strategic decision-maker.” And management has trouble with cyber experts, he added.
Referring to der Weduwen’s comment about a crisis drawing oxygen from a room, Wheeler said professional negotiators “bring stillness into the room and enable decision-making.”
“This is not something you improvise,” Leslie said of negotiation with an attacker. “This is honed.”
Looking at the different skills needed to solve different problems extends to cyber hiring, she added. “We need to think differently.”
What an experienced hostage negotiator does is allow management to make better decisions, Chrustie said. Outside negotiators can also give management cover in countries where paying a ransom to anyone connected with a terrorist group is illegal, der Weduwen. If asked why a ransom was paid, management can say, “We did the best we could, took the advice of professional negotiators.”
Finally, Leslie said it’s vital management and the IT team be prepared for any eventuality. “You can’t know how these events will feel until you have a crisis … My strong recommendation is people in cybersecurity, the C-suite think about what will do, who they will call” in a major incident.
“Failing to plan, failing to anticipate risks not just data and infrastructure. It risks people.” And sometimes a specialist may be needed.
“It’s not an admission of failure to say there are things in specific situations we don’t know how to do,” she said.
The conference concludes today.