Technology can help fight the growing cyberextortion threat, but experts say not enough companies are prepared
In January, Thomas Ray, 25, of Mississippi, was indicted for allegedly claiming to have found a security flaw in Best Buy Co.'s systems and threatening to expose and exploit that flaw unless he was paid $2.5 million. A trial is expected this fall. And last year, Kazakhstan hacker Oleg Zezev was sentenced to 51 months for illegally entering Bloomberg L.P.'s systems and threatening to disclose the break-in if he wasn't paid $200,000.
Most extortion plans fail. According to Carnegie Mellon's survey, 70% of those threatened with extortion say the attempts were unsuccessful.
But it's a growing problem nonetheless. Networks with anywhere from a couple of hundred to tens of thousands of compromised systems that can be used to launch distributed denial-of-service attacks have increased sharply this year, says Vincent Weafer, senior director of Symantec Corp.'s Security Response service. The vendor tracks these attack networks, which are set up by "criminals who want to use them for profit," Weafer says. In six months, they've swelled from 2,000 to more than 30,000, he says.
Small and midsize businesses often believe cyberextortionists aren't interested in them because they're too small, with 68% of the companies in the Carnegie Mellon survey responding that they're at no or low risk. But Bednarski warns that's false comfort. "Being a small company may actually increase your risk," he says. "The extorters are scanning the Internet for vulnerable systems, and it's no skin off of their nose to send out letters demanding $5,000. If 10% of the companies pay, the extortionist is sitting pretty."
Moreover, many companies aren't taking necessary precautions. Only 21% of companies in the Carnegie Mellon study have formal training programs to teach employees how to respond to security breaches, and only 37% have performed security assessments in the past six months.
Perhaps more unsettling: 45% of companies express a lack of confidence in their technical department's ability to respond to security incidents. "More companies clearly need to raise their security posture," Symantec's Weafer says.
Otherwise, they may find themselves scrambling in the midst of an attack, as WagerWeb did. Now, the online site is better prepared to stand firm against a threat, should one arise. Says Johnson: "We won't give in."
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.