30 Percent of Potential Cybercrime Victims Plan to Negotiate

It's one thing to stand up and make bold pronouncements about how there will be no negotiation with terrorists, in the grandest action movie tradition, but when it comes to cybercrime, the actual response could be much different. A new report from ThreatTrack Security suggests that almost one in every three security professionals would sooner negotiate with cybercriminals who hold data hostage, whether the data has simply been encrypted or has been outright stolen.

The ThreatTrack report in question, titled appropriately Negotiating with Cybercriminals, shows that about 70 percent of professionals actually don't support negotiating at all. But this is in sharp contrast to reports that 86 percent of respondents believe that other cybersecurity professionals have already brokered a deal at one point or another with a cybercriminal. 40 percent have had reason to, having worked at an organization that was targeted by cybercriminals, and 55 percent of those were willing to open up negotiations. Indeed, 23 percent believed that companies should have a budget specifically for negotiating with cybercriminals, and 43 percent of individuals who had been previously attacked agreed.

There were also some differences on just where the government should get involved; 10 percent of respondents believed that it should be a crime to negotiate with cybercriminals, but 44 percent said the government should be immediately notified and given full access to networks to investigate cybercrime. 38 percent believed that the government should just set policies and offer help, and 30 percent said that it should be an option to even tell the government about it.

Perhaps most interesting of all is the revelation that the willingness to negotiate depends heavily on variables like the industry targeted or the type of data involved. Those going after the healthcare industry will find very few willing to negotiate, with 92 percent refusing. The financial services industry is only slightly better at 80 percent. Additionally, while half of all respondents would absolutely never negotiate, there was some wiggle room depending on the data: 37 percent would negotiate if employee data was involved, like social security numbers and addresses; 36 percent would for customer data; 30 percent would if intellectual property issues were involved, and 26 percent would for “confidential executive communications.”

It's not surprising that there would be plenty of different opinions on how to address cybercrime, and it's also easy to second-guess the numbers. Essentially the study announces a market for cybercriminals, since there is a clear and substantial number of companies ready to negotiate following such an event. Of course, that's also a cynical way to look at it; after all, the companies involved do have something of an obligation to protect that data in the first place, so why wouldn't that protection extend to negotiation? Still, the best plan is probably the simplest: defend against cybercrime as best as possible so that the issue doesn't come up any more than necessary already.

Though it may ultimately serve to encourage cybercriminals to go after data in pursuit of a fatter payday, the idea of negotiating with said criminals isn't necessarily a bad one. Protecting the data is what's important, and if all the protections fall away, it may even be worth offering some cybercriminals a brief but well-paid job to point out where the holes in the security were.