In the shadowy world of security threats and bad actors, cyber extortion is a growing trend. Cybercriminals are taking advantage of the vulnerability of intellectual property, threatening to release potentially embarrassing information and encrypting data to render it useless to the rightful owners, among other sinister practices.

Unlike the risks associated with more traditional cybertheft, such as the loss of customer account data, the risks and costs related to extortion can be indirect and difficult to assess. The conventional thief looks for information, such as credit card numbers, that can be easily converted to money. This data has a direct market value — at least on the black market.

The cyber extortionist, however, takes advantage of information that is valuable to its rightful owner by rendering the data unusable and holding it for ransom or threatening to release it publicly.

Risk Assessment Is Crucial

According to TechTarget, risk assessment is crucial, especially considering the range of possible targets for cyber extortion and the varied forms it can take. Some data may pose multiple vulnerabilities. It’s important to know the protective measures and prospective costs associated with each one.

An email exchange between key employees, for example, might contain ideas and strategies that, if released publicly, would benefit business rivals. The exchange may also contain candid remarks that would be embarrassing if made public. This could persuade an enterprise to pay an extortionist not to release them.

On the other hand, covert encryption of an email thread could deny employees the ability to review and build upon their own work. Encryption could also potentially trigger a compliance violation if the organization loses its access to data it is responsible for preserving and providing on demand.

Protecting Against Cyber Extortion

In short, cyber extortion can put a single data repository at risk in multiple ways, each involving distinct technologies — both on the threat vector side and the protection side. The protective measures against cyber extortion threats can be as varied as the threats themselves.

Protective encryption of data can safeguard against it being exposed by cybercriminals. However, this does not protect against further unauthorized encryption that could render the data inaccessible. Prompt backup of generated data can protect the data from tampering, such as covert encryption, but does not keep attackers from releasing data taken from stolen originals.

As the TechTarget article put it, “risk is the ballast that ensures proper protection levels and mechanisms are in place” to protect enterprises against the full range of possible cyber extortion threats.

The CISO’s Responsibility

The CISO is at the center of the risk assessment and weighting process that determines what data repositories are at risk of what types of attacks, the magnitude of these risks and the optimum protective measures against each.

All enterprise leaders, however, must understand the challenges posed by cyber extortion and the need for a risk-based response.

More from Risk Management

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging.We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically.For this reason, 75% of organizations seek to…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Why consumer drones represent a special cybersecurity risk

3 min read - Cybersecurity staff at an East Coast financial services company last summer detected unusual activity on its internal Atlassian Confluence page originating inside the company’s network. The MAC address used locally belonged to an employee known to be currently using the same MAC address remotely, according to a security specialist named Greg Linares, who had secondhand information about the attack. So, the team used a Fluke AirCheck Wi-Fi Tester device to identify the device logged in, which led the team to…