After 30+ years with the Canadian Federal Police, Cal Chrustie “retired” and transitioned to InterVentis global. He now provides education, consulting, and coaching on cyber terror incidents. So when Cal’s organization is brought in to coach, it’s usually at the last minute.
But when they offer public education, Cal advocates for having a plan in place if—or when—a response becomes necessary. You have to prepare to engage with the insurance company for the ransom. You have to engage with lawyers to mitigate the risks you face. So where do you start?
Practice the cyber negotiation process
Cal notes that you must exercise the plan just like any other negotiation. The best way to learn is through a live and structured simulation. Exercising the concept also brings a degree of self-awareness to the process that you wouldn’t otherwise have. Creating a plan and exercising it is critical to successful negotiations. Cal 100% recommends having a protocol in place.
Don’t concede to the cyber-terrorist’s demand(s)
Where do cyber negotiations often fail? Cal firmly believes it’s when the company or business pays a ransom. Lawyers aren’t always aware that once you pay a ransom to a proxy, it doesn’t matter if everything is okay today. What’s going to happen tomorrow? What will happen 6 months from now? A year from now? You are opening yourself up to legal risk. Why?
Maybe in country X it’s okay to pay a ransom. But country Y—where you have other parts of your business—won’t look at paying a ransom favorably. It puts your company at risk. People don’t always consider sanction issues, money-laundering laws, and terrorist financing issues. What if the government is tracking terrorist movement and the money you paid a cyber-terrorist is traced back to you?
Client privilege doesn’t give you confidentiality
Normal business negotiations have a degree of security and confidentiality in terms of strategy. So when a lawyer closes his door, he thinks client privilege will give him confidentiality. But every email and every phone call are going to be monitored and tracked by friendly and unfriendly countries. The criminal actors themselves have the ability to listen to and monitor the negotiation process.
Lawyers are trying to keep the negotiation and information private to protect the reputation of the company. Lawyers are consumed by the fact that they’ll likely have to deal with a civil lawsuit from their customer’s data being breached. They want to mitigate the risk and reputation if they were to actually pay out a ransom. But the negotiation bubble needs to be protected—not just by legal privilege. Presume that everyone is listening to you. Take operational security measures. Lock down how you communicate.
Bring in the big guns
It’s why Cal advocates that you bring in the experts—on the front end for training and education, and during a crisis as a third set of eyes. You don’t just need to hire expert negotiators. You need to bring in a third eye for critical analysis. If you don’t have the third set of eyes helping through the process, things can be missed. Another perspective can mean the difference between a successful negotiation with a cyber-terrorist or a failed negotiation and a concession.
Plus, Cal points out that cyber-criminals aren’t your common criminal. They’re educated and intelligent and often work for organized crime organizations. So how do you handle these intelligent criminals? How does negotiation with cyber-terrorists parallel hostage negotiations? Call Chrustie shares his thoughts from his 30+ years of expertise in episode #167 of the Negotiations Ninja podcast. Check it out!