Seven Tips for Negotiating with Hackers (or Anyone for that Matter)
By GRSMCyberPrivacyTeam on January 7, 2022
These tips will help cyber-security experts in ransomware negotiations with hackers. But they apply universally to any negotiation in business, legal, or even personal affairs.
1. Be Kind
Confrontation is pointless in negotiations. Not only does it cloud thinking, but it raises defensiveness on the other side, which can end any hope of a resolution. The same is true with a neutral, poker-face style of communication. It comes across as unnatural, putting the other side on guard that something might not be right. So, be kind. Or, at least appear that way, and if things go sideways, take a break or resume another day.
2. Do Your Homework
Making moves in negotiations requires understanding the options: best case, worst case, and everything in between. And the side with more options—or perceived to have more—often has the power. Before negotiations, figure this out through research and analysis. View the options and pressure points from the other side as well. Knowing those, counter arguments and ways to exploit pressure can be developed, and “walk-away” points can be clearly defined.
3. Solicit Information
Making moves in negotiations also requires obtaining information from the other side. Two classic (but still effective) ways to do this are (1) through silence (listen more than talk)—leading the other side to communicate to end the discomfort—and (2) open-ended questions (use the “5Ws 1H” approach)—inviting the other side into a dialogue that you control.
4. Avoid Ranges / Round Numbers
A range of numbers has a low end and a high end. Naturally, giving a range in negotiations signals that your low end is acceptable. So, stick with specific figures, but at the same time avoid round ones—they can lack believability and suggest a made-up number without justification. If possible, slow down the back and forth by remaining patient and not overly eager to conclude a deal that may leave money on the table.
5. Choose Words Carefully
Different words can carry similar meanings, but selecting the right word (and sometimes the right time for it) is a skill in negotiations. Aggressive words can always be toned down. Consider, for example, position, objection, and impasse versus view, reservation, and stuck. And when dealing with those whose first or even second language is not the same, diction and tone can be even more important.
6. Use “Tactical Empathy”
When the other side knows they have been understood, negotiations can continue. Demonstrate appreciation for the other side’s perspective, even if you disagree with it. Get the other side to do the same. Use this to develop a working relationship. *Read Chris Voss’ book “Never Split The Difference.”
7. Maintain Credibility
Just as challenging, the other side in negotiations can reset leverage, so be willing to accept challenges going in the opposite direction. Otherwise, the other side may feel things are one-sided. This can lead to a loss of credibility in wanting—or being perceived as wanting—to work toward an agreed solution. Indeed, sometimes giving in on small but important issues can prompt bigger moves in your favor. Don’t concede on key points without getting something back.
***
Ransomware attacks continue to rise. The ideal approach is to prevent them in the first place with the right mix of cybersecurity services and a ransomware-specific cyber-incident response plan. In reality, hackers will sometimes find ways to penetrate even the most well-protected organizations. If your company does become an unwitting victim of a ransomware attack, these tips provide the foundation to the “dos and don’ts” of negotiating with hackers and putting you or your organization in a more advantageous position to achieve the best outcome for your company.
By Kurtis Minder, CEO, GroupSense & Joe Meadows, Partner, Gordon Rees Scully Mansukhani, LLP
This content was prepared for informational purposes only and was not intended to provide legal advice. Any views expressed herein are those of the author(s), and are not necessarily the views of any firm or client. This document may be considered attorney advertising under the rules of some states. Prior results do not guarantee a similar outcome.