- Fotolia

Manage Learn to apply best practices and optimize your operations.

Cyberextortion: How should CISOs handle it?

Organizations need to be aware of the threat of cyberextortion attacks and defend against them. Mike O. Villegas discusses the CISO's role in setting up the defense.

A rise in cyberextortion attacks is forcing organizations to pay more attention to these types of threats. What is a CISO's responsibility when it comes to protecting their organization from cyberextortion attacks?

Risk is the ballast that ensures proper protection levels and mechanisms are in place for the protection of corporate assets. The value and protection constructs of intellectual property and corporate data will determine whether or not your organization is a target for cyberextortion attacks.

Should a company pay ransom for information or computers taken hostage? Ethically speaking, the answer is no. But in a practical sense, given the criticality of the asset, it might have to.

Companies that fall victim to ransomware and that pay the ransom tend to either have poor backups or insufficient controls. If that's not the case and both systems are working effectively but still succumb to sophisticated attacks like cyberextortion attacks, there are still greater concerns about the organization's reputation or financial risks if the incident goes public. The CISO is responsible for ensuring the organization's security program is risk-based, regularly tested and functional so that it's poised to prevent extortion attacks. This means the CISO needs to oversee specific tasks, including:

  • Performing full backups with daily incrementals of all critical data and intellectual property;
  • Ensuring strong network security that's verified by monthly vulnerability scans and annual penetration tests;
  • Ensuring there is current malware detection and antivirus protection on all servers and end-user devices, such as workstations, laptops and IoT devices;
  • Ensuring there are RBAC-based application controls in place for any application providing access to critical data and intellectual property;
  • Ensuring that encryption, hashing or tokenization is used on critical data and intellectual property with strong and proven key management procedures;
  • Making sure there is comprehensive monitoring -- such as SIEM and file integrity monitoring -- that will alert cybersecurity and IT staffs of anomalous changes in the IT infrastructure and production environments;
  • Requiring all development staff over key e-commerce and critical legacy applications to take at a minimum annual training on secure coding practices based on OWASP Top 10 vulnerabilities;
  • Ensuring the security awareness program is embedded into the business culture and that it focuses on social engineering attacks, spear phishing, security minded customer etiquette and basic end-user cybersecurity; and
  • Ensuring that the organization's incident response plan includes training for employees, especially training for executives and executive admins on how to handle an email or phone extortion scheme with ransom demands.

Not all enterprises will be subject to cyberextortion attacks but all enterprises can be a target, especially if they are unprepared. The key is for the CISO to ensure sufficient controls, training, monitoring and recovery processes are in place to render an extortion and hostage situation merely an inconvenience and not a critical business threat.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn more about CISO's blind spots in cybersecurity

Find out how a data protection strategy can help with ransomware recovery

Discover what a new ransomware worm means for the future of security

This was last published in August 2016

Dig Deeper on Emerging cyberattacks and threats