A rise in cyberextortion attacks is forcing organizations to pay more attention to these types of threats. What...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
is a CISO's responsibility when it comes to protecting their organization from cyberextortion attacks?
Risk is the ballast that ensures proper protection levels and mechanisms are in place for the protection of corporate assets. The value and protection constructs of intellectual property and corporate data will determine whether or not your organization is a target for cyberextortion attacks.
Should a company pay ransom for information or computers taken hostage? Ethically speaking, the answer is no. But in a practical sense, given the criticality of the asset, it might have to.
Companies that fall victim to ransomware and that pay the ransom tend to either have poor backups or insufficient controls. If that's not the case and both systems are working effectively but still succumb to sophisticated attacks like cyberextortion attacks, there are still greater concerns about the organization's reputation or financial risks if the incident goes public. The CISO is responsible for ensuring the organization's security program is risk-based, regularly tested and functional so that it's poised to prevent extortion attacks. This means the CISO needs to oversee specific tasks, including:
- Performing full backups with daily incrementals of all critical data and intellectual property;
- Ensuring strong network security that's verified by monthly vulnerability scans and annual penetration tests;
- Ensuring there is current malware detection and antivirus protection on all servers and end-user devices, such as workstations, laptops and IoT devices;
- Ensuring there are RBAC-based application controls in place for any application providing access to critical data and intellectual property;
- Ensuring that encryption, hashing or tokenization is used on critical data and intellectual property with strong and proven key management procedures;
- Making sure there is comprehensive monitoring -- such as SIEM and file integrity monitoring -- that will alert cybersecurity and IT staffs of anomalous changes in the IT infrastructure and production environments;
- Requiring all development staff over key e-commerce and critical legacy applications to take at a minimum annual training on secure coding practices based on OWASP Top 10 vulnerabilities;
- Ensuring the security awareness program is embedded into the business culture and that it focuses on social engineering attacks, spear phishing, security minded customer etiquette and basic end-user cybersecurity; and
- Ensuring that the organization's incident response plan includes training for employees, especially training for executives and executive admins on how to handle an email or phone extortion scheme with ransom demands.
Not all enterprises will be subject to cyberextortion attacks but all enterprises can be a target, especially if they are unprepared. The key is for the CISO to ensure sufficient controls, training, monitoring and recovery processes are in place to render an extortion and hostage situation merely an inconvenience and not a critical business threat.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Learn more about CISO's blind spots in cybersecurity
Find out how a data protection strategy can help with ransomware recovery
Discover what a new ransomware worm means for the future of security
Dig Deeper on Emerging Information Security Threats
Related Q&A from Mike O. Villegas
Privacy and information security can often be at odds with each other in enterprises. Expert Mike O. Villegas explains how C-levels can help to get ...continue reading
Effective CISO communications are key to fostering a healthy relationship with the cybersecurity staff. Expert Mike O. Villegas reviews some ways to ...continue reading
The brief tenure of a federal CISO in the U.S. government recently came to an end. Expert Mike O. Villegas discusses the effect this has on the U.S. ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.