Tim is a response consultant in the cyber sphere, but what does the job actually entail?
Typically there are three external entities that make up a cyber consultancy: legal, forensics, and communications.
Tim’s team is the forth party who are the crisis managers or the “ringmasters” in a cyber incident. They look at how the crisis develops as a whole and coordinate a lot of the moving parts of the breach lawyers, the forensics team and the crisis comms people in a holistic way.
They also bring expertise in extortion negotiation because, “extortion in a cyber event is almost exactly the same as some guy walking into a packing shed in Mexico with a gun and saying I'm going to burn the place down if you don't give me X amount of thousands of dollars,” Tim says.
The difference is that in a kidnapping - once the ransom is paid - the kidnapped person is returned, whereas in a cyber ransom attack, “if I pay a ransom, the data will not be returned and there will always be a copy of it somewhere, despite what they say,” Tim explains.
“Paying a ransom decouples the company's reputation from the data,” Tim states, “meaning that if the company turns around to the extortionists and says I'm not going to pay this ransom, quite often the extortionist just leaves and goes onto the next lowest hanging fruit. But you run the risk that what they will do is publish it with a big sign that says this is X company's data.” This can obviously be a disaster in terms of reputational management.
Tim highlights that negotiating and reducing the expectations of the extortionists could perhaps gain a 25-50 percent reduction in demand. You might also negotiate to extend deadlines which gives you more time to harden your systems and make sure that the attacker is not inside and cannot exploit some other zero day vulnerability which is available to them.
So if you pay the ransom at the end of a resistance-led negotiation, it means they will not then publish the data and that protects your company’s reputation, but it also allows you to contact the people whose data has been taken to say it’s been sorted and although it’s not serious, there may be a chance your data will resurface on the web - so be extra alert to phishing emails or bogus calls. “We don't think that there would be any further implications to this because we have negotiated and talked to these people,” would be a good way to reassure your customers, Tim advises.
Tim says that these days most people understand there are two sorts of companies: those that have been hacked and those that have not been hacked yet. He thinks that people would be sympathetic to companies who’ve come clean about their hack in a controlled manner, at the right time.
Advice for the victim: don’t get personal, it’s not about you
What the victim has to understand is that the extortionist is treating this as a business. The target usually feels personally victimised but for the bad guys it's just another day at the office which just happens to be a criminal activity.
It's an extremely unusual and very unnerving experience for people who don't deal with them every day but for Tim it’s just an event which can be broken down and dealt with in manageable, bite-sized chunks.
“The whole point of crisis management is making sure you cover all the bases and you're dealing with it in a systematic manner, knowing that there is likely to be a good outcome at the end of it, although somewhat costly,” he says.
Find out much more about what Tim Lambon has to say on the matter at this year’s R3 Summitwhen he’ll be presenting a case study on "The right way to brief your crisis communications team". Tim will be looking at communication strategies and case studies for mitigating cyber security breaches and improving recovery.