In the shadowy world of security threats and bad actors, cyber extortion is a growing trend. Cybercriminals are taking advantage of the vulnerability of intellectual property, threatening to release potentially embarrassing information and encrypting data to render it useless to the rightful owners, among other sinister practices.

Unlike the risks associated with more traditional cybertheft, such as the loss of customer account data, the risks and costs related to extortion can be indirect and difficult to assess. The conventional thief looks for information, such as credit card numbers, that can be easily converted to money. This data has a direct market value — at least on the black market.

The cyber extortionist, however, takes advantage of information that is valuable to its rightful owner by rendering the data unusable and holding it for ransom or threatening to release it publicly.

Risk Assessment Is Crucial

According to TechTarget, risk assessment is crucial, especially considering the range of possible targets for cyber extortion and the varied forms it can take. Some data may pose multiple vulnerabilities. It’s important to know the protective measures and prospective costs associated with each one.

An email exchange between key employees, for example, might contain ideas and strategies that, if released publicly, would benefit business rivals. The exchange may also contain candid remarks that would be embarrassing if made public. This could persuade an enterprise to pay an extortionist not to release them.

On the other hand, covert encryption of an email thread could deny employees the ability to review and build upon their own work. Encryption could also potentially trigger a compliance violation if the organization loses its access to data it is responsible for preserving and providing on demand.

Protecting Against Cyber Extortion

In short, cyber extortion can put a single data repository at risk in multiple ways, each involving distinct technologies — both on the threat vector side and the protection side. The protective measures against cyber extortion threats can be as varied as the threats themselves.

Protective encryption of data can safeguard against it being exposed by cybercriminals. However, this does not protect against further unauthorized encryption that could render the data inaccessible. Prompt backup of generated data can protect the data from tampering, such as covert encryption, but does not keep attackers from releasing data taken from stolen originals.

As the TechTarget article put it, “risk is the ballast that ensures proper protection levels and mechanisms are in place” to protect enterprises against the full range of possible cyber extortion threats.

The CISO’s Responsibility

The CISO is at the center of the risk assessment and weighting process that determines what data repositories are at risk of what types of attacks, the magnitude of these risks and the optimum protective measures against each.

All enterprise leaders, however, must understand the challenges posed by cyber extortion and the need for a risk-based response.

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…