Among the fascinating sessions at CIISec LIVE in November was a fireside chat with Sue Williams QPM, a specialist in crisis response and hostage negotiation and former head of the Metropolitan Police’s hostage Crisis Negotiation Unit.
Much of the chat dealt with insights into the differences between sea hijackings, siege management and kidnappings. This included the motivations behind these actions and the main dos and don’ts if you find yourself kidnapped.
Key points included:
- keeping to a routine
- be a grey, accommodating person
- if a woman, give the perception of being a mother
- watch for signs of Stockholm Syndrome in any other victims
- never ask for addresses or make other attempts to identify your captors
But there was also vital advice for cyber security professionals. In the era of ransomware, where almost anyone could be a target of a growing variety of attackers, knowing how to negotiate and act in a crisis could be critical.
In 2026, information travels fast and attackers hold all the cards. If they want, attackers can make a ransom public near-immediately, eliminating the time you might have to prepare a response. Linked to this is “starbursting”. Just as kidnappers might send their demands to everyone in a victim’s phone contacts, so attackers can reach far and wide to get the right person. Having a strategy ready to roll into action in the event of an attack will help stop attackers stealing the initiative.
F is for fake: Victims and potential victims need to be wary of fakes on both sides of the fence. Scammers aren’t above sending fake ransom demands in the hopes their victim will respond without knowing better, even using AI to fake evidence. And when a real event leaks out, opportunistic con artists can pretend to be the attacker. A complete picture of the situation, alongside clear communication protocols, will help keep these from the door.
At the opposite side of the scale, it’s important to remember that negotiators are not regulated. A third party brought in to help deal with attackers could be a vital asset, or could do more harm than good. This is unlikely to trouble a large business, but smaller organisations or individuals will need to be wary.
Remember the goal: As the negotiator, the aim isn’t to identify the attackers or bring them to justice. The goal is to create rapport and ultimately recover what was taken. Measuring progress should be based on this: for instance, any actions that help build trust with the attacker are wins. This doesn’t mean paying the ransom is always the answer, contrary to what TV might show. For instance, if the attackers come from a proscribed organisation, paying any ransom would be impossible anyway.
Responsibility in a crisis: Knowing who takes responsibility for actions in a crisis is crucial. It might not be the most senior person: we can’t predict how people will react, and someone who missed training or is used to consultation wouldn’t be able to make the right decisions under pressure. It’s also important to remember the difference between responsibility and accountability. One person will almost certainly be responsible for each individual action. But the accountability for the outcomes of those actions rests with everybody.
Thanks again to all the Members that attended LIVE, many of whom will have taken in the session in-person. We hope to see as many of you as possible attending next year.
