Much like in the real world, security experts advise victims not to give in to extortion demands.
In the long-running best seller on crime and self-protection, The Gift of Fear, author and crime consultant Gavin de Becker advises individuals threatened with extortion not to pay, a main reason being that it involves entering into a contract with a party that victims have little reason to trust.
The past year has seen an uptick in the number of high-profile cyber extortion incidents companies faced. Just recently, the Virginia Department of Health Professions received a note demanding $10 million for the return of millions of patient records.
When contacted by victims and asked for advice, law enforcement personnel will also advise against capitulation, says Ed Skoudis, a senior security consultant with Washington-based consulting firm InGuardians who has worked with cyber extortion victims.
But threatened companies can face complex issues, one of which is that the stolen data frequently belongs to other people. Another challenge is that victims are frequently given little time to decide.
Contingency planning can help with the latter problem. Companies can map a general reaction strategy before they face an incident, Skoudis says.
“Cyber extortion seems to be increasing based just on the stories we are hearing,” said Mark Grantz, a U.S. Secret Service special agent, speaking at a recent cybercrime panel in Washington, D.C. But statistics are hard to find because many incidents are kept private, he said.
Cyber extortion is believed to be a “large” segment of cybercrime, says Alan Paller, president of the Bethesda, Maryland-based SANS Institute. Most frequently, extortionists threaten to release stolen data or shut down a Web site, he says.
Companies should begin crafting their basic strategy by choosing a decision maker, Skoudis says. This person is typically an executive, such as a chief executive officer or a chief operating officer. “It will be hard enough to make the decision,” in the heat of the moment, Skoudis says. “The last thing you want is to have to decide who will make it.”
Skoudis then advises identifying and perhaps contacting a savvy cybercrime attorney, knowledgeable on relevant subjects, including intellectual property and the value and protection of personally identifiable information. Companies should also ensure that such an attorney is available during a possible incident to “talk through the issues.” Locating an attorney could be challenging if a company has under 24 hours, he says.
It could also make sense to contact a public relations firm with relevant experience, he says. In addition, organizations should identify someone with a proper technical background who can help verify a claim’s validity. The legal, public relations, and technical aspects can be considered a “three-legged stool,” he says.
The decision will be based mainly on facts on the ground, Skoudis says. A principal issue is threat credibility. Extortionists typically provide sample data or screen shots demonstrating access, he says.
Another big consideration is the potential damage and how many people could be hurt. But damages can be hard to calculate, Skoudis says. Exposing certain records and data can cause individuals considerable pain.
Companies should also discuss ideas with law enforcement, he says. But companies are legally entitled to make the decision on payment themselves, he says.
There is not a great deal that companies can do in advance of an incident, but a general plan identifying decision makers and decision-making parameters could help the company if it is faced with an incident, he says.