Does your company need an extortion policy?

IT pros have to master a variety of skills. But one that you definitely didn’t sign up for is hostage negotiations.

Unfortunately, it looks like that might be yet another task thrown at you.

The social networking site was recently issued a strange demand. A hacker sent a friendly email explaining he had been hired by a competitor to bring down the site with a series of distributed denial of service (DDoS) attacks.

He kindly offered to call off the attacks in exchange for $300. The company declined to give into these demands.

In a blog post, CEO Scott Heiferman explained what happened next: Over the course of three days, Meetup was hit with wave after wave of DDoS attacks, leaving it unavailable to users. Each time a security fix was implemented, another sophisticated attack would come in.

For large swaths of time from a Thursday morning through to Monday afternoon, the site was unavailable.

That $300 bribe looks like a bargain now, right? Not necessarily.

No safety guarantee

As Heiferman explained:

We chose not to pay because:

1. We made a decision not to negotiate with criminals.
2. The extortion dollar amount suggests this to be the work of amateurs, but the attack is sophisticated. We believe this lowball amount is a trick to see if we are the kind of target who would pay.  We believe if we pay, the criminals would simply demand much more.
3. Payment could make us (and all well-meaning organizations like us) a target for further extortion demands as word spreads in the criminal world.
4. We are confident we can protect Meetup from this aggressive attack, even if it will take time.

All sound reasons.

If these hackers were able to take down a major website this easily, $300 is hardly a guarantee they wouldn’t strike again. As he points out, that was likely an offer to see if the company was willing to play ball.

And there is something distasteful about being made to pay a bribe just to continue doing business. It calls to mind images of petty crooks saying, “Nice website you got there … would be a shame if something should happen to it.”

Not the only concern

Here’s what’s especially concerning about this case: $300 seems to be the going rate these days for not getting your systems messed with. The Cryptolocker and Prisonlocker ransomware that made news last year are still at large, encrypting users’ data and charging them for the key. If users don’t pay $300, they’ll have their files encrypted forever.

Some have given in. A police department in Florida had to pay up. Others like Meetup have undoubtedly refused.

So the question is: What would you do?

Disgusting, but true: You need a plan

It’s come to this. If your company doesn’t have a plan already for dealing with bribery, you may need to have one. The chances of it happening are still slim, but hackers are smart enough to follow the money. If they see there’s a quick buck to be made trading security for cash, they could take it.

Meet with the top brass at your company. Explain these recent cases and find out what the procedure should be if you find yourself on the receiving end of demands like these. Be sure to explain that even low dollar demands might not be the end of your headaches.

On the off chance you become a victim of one of these attacks, the heat of the moment will be no time to make a decision. And the last thing you want is to be blamed or questioned for whichever decision you make when the clock starts ticking.