Cyber-crime has hit the U.S hard; attacks on small businesses increased by 400%+ in 2019 alone[i], and damages are set to hit $6 trillion globally in 2021[ii].
Following a cyber-crime roundtable, Jack Blount, President & CEO at INTRUSION, Inc., and former CIO at the USDA states that "every American organization – in the public and private sector – has been or will be hacked, is infected with malware, and is the target of hostile nation-state cyber intruders."[iii]
So what is cyber extortion?
In the simplest terms, Cyber Extortion is most commonly deployed via email phishing attacks, where a victim clicks on a link or attachment containing malicious software known as ransomware. Hackers use ransomware to take a victim's data hostage, demanding payment in exchange for returning access to it. Extortion demands often exceed six-figure amounts, with 70% of attacks involving a threat to publicize sensitive data if payment is not made[iv].
Example of cyber extortion
A hospital in St. Louis receives a message on their computer system informing them that their network has been infected by malware and perpetrators have seized control of the hospital's computer systems. The perpetrators will only give back control to the hospital if they are paid $25,000.
How can it affect my business?
From the standard economic costs to reputational, trust and legal issues, there are many facets to a cyber extortion threat. In fact, according to Coveware's 2020 Q4 Ransomware Report, the average extortion demand is $154,108. Notably, the reports also indicated the average downtime is 21 days, with business interruption costs amounting to 5 to 10 times the extortion demand. To illustrate the ultimate costs of a ransomware attack, we cite a 2020 case[v] in Buffalo, NY, where one organization estimated that it spent $10 million responding to a $30,000 ransom demand. Although half the costs were attributed to staff overtime, lost revenues and other indirect costs, the organization would later incur further costs to upgrade technology and run employee awareness training.
Depending on the type of business you run, reputational damage concerning data breaches can result in loss of customers and a drop in profits until you can rebuild the trust.
Lastly, failure to deploy appropriate security measures following a cyber-threat of any kind can result in fines and regulatory sanctions.
What can I do about it?
Organizations decrease the likelihood of becoming a victim of cyber extortion by deploying the following strategies:
- Use multi-factor authentication (MFA) – including whether MFA is required for access (1) to the network generally, (2) to privileged accounts, (3) to web-or cloud-based email, (4) by vendors, and (5) to online backups.
- Patch management/patching cadence
- Employee training – phishing training
- Remote Desktop Protocol (RDP) – e.g., remote access controls (VPN, network-level authentication, MFA), firewall configuration
- Presence/management of End-of-Life (EOL) software
- Email/web filtering and response systems – Sender Policy Framework (SPF), DKIM (DomainKeys Identified Mail), DMARC (Domain-based Message Authentication, Reporting and Conformance)
Detecting network intrusions and suspicious behavior
- Endpoint Protection Products (EPP) and Endpoint Detection and Response (EDR) Products
- Vulnerability scans
- Other Endpoint Protection solutions – such as signature and behavioral-based antivirus products
- Intrusion Detection Systems and Intrusion Prevention Systems
- Security Incident Event Management (SIEM)
Protecting user and privileged accounts/limiting the attackers' lateral movement
- Identity Access Management (IAM)/Privileged Account Management (PAM)
- Network segmentation/segregation
- Configuration management practices – hardened baseline configurations
- Service account management
Preparing for, responding to, and mitigating an attack
- Backup practices – use of encryption; maintenance of backups online, offline, onsite and offsite; testing of restoration from backups
- Incident response/ransomware plans – frequency of testing, table-top exercises
- Disaster recovery/business continuity plans – Recovery Time Objectives (RTO)
Cyber insurance protection
A cyber insurance policy is an optimal way to transfer the costs of a ransomware attack. A well-negotiated cyber policy can cover many types of costs, including:
- legal counsel to meet compliance obligations,
- forensic investigation firms to investigate the attack,
- cyber extortion negotiators with immediate access to cryptocurrency for payment,
- business interruption and extra expense coverage,
- data recovery costs,
- costs to notify affected individuals and regulatory authorities,
- provide credit monitoring services,
- hire a PR firm to reduce reputational harm,
- costs to defend and settle 3rd party lawsuits and regulatory investigations.
Whilst Gallagher Crisis Protect does not replace traditional Cyber Insurance it does include supplementary Cyber Extortion risk consulting pre-incident, a helpline to call when an incident occurs and support following the incident.
We respond to 18,000 crisis events every year for business across all sectors, including many small businesses. For more information contact Charles Pippert.