Software // Enterprise Applications
06:50 PM

Extortion Online

Technology can help fight the growing cyberextortion threat, but experts say not enough companies are prepared

In January, Thomas Ray, 25, of Mississippi, was indicted for allegedly claiming to have found a security flaw in Best Buy Co.'s systems and threatening to expose and exploit that flaw unless he was paid $2.5 million. A trial is expected this fall. And last year, Kazakhstan hacker Oleg Zezev was sentenced to 51 months for illegally entering Bloomberg L.P.'s systems and threatening to disclose the break-in if he wasn't paid $200,000.

Most extortion plans fail. According to Carnegie Mellon's survey, 70% of those threatened with extortion say the attempts were unsuccessful.

But it's a growing problem nonetheless. Networks with anywhere from a couple of hundred to tens of thousands of compromised systems that can be used to launch distributed denial-of-service attacks have increased sharply this year, says Vincent Weafer, senior director of Symantec Corp.'s Security Response service. The vendor tracks these attack networks, which are set up by "criminals who want to use them for profit," Weafer says. In six months, they've swelled from 2,000 to more than 30,000, he says.

Small and midsize businesses often believe cyberextortionists aren't interested in them because they're too small, with 68% of the companies in the Carnegie Mellon survey responding that they're at no or low risk. But Bednarski warns that's false comfort. "Being a small company may actually increase your risk," he says. "The extorters are scanning the Internet for vulnerable systems, and it's no skin off of their nose to send out letters demanding $5,000. If 10% of the companies pay, the extortionist is sitting pretty."

Moreover, many companies aren't taking necessary precautions. Only 21% of companies in the Carnegie Mellon study have formal training programs to teach employees how to respond to security breaches, and only 37% have performed security assessments in the past six months.

Perhaps more unsettling: 45% of companies express a lack of confidence in their technical department's ability to respond to security incidents. "More companies clearly need to raise their security posture," Symantec's Weafer says.

Otherwise, they may find themselves scrambling in the midst of an attack, as WagerWeb did. Now, the online site is better prepared to stand firm against a threat, should one arise. Says Johnson: "We won't give in."

2 of 2
Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.