Cyber extortion is an increasingly popular form of cyber attack that requires its own insurance solution.
The digital world we live in and ever-increasing number of companies that rely on the Internet for their business have created a highly fertile ground for cyber crime. According to Norton’s Cybercrime 2012 report, 70% of online adults in Canada have been the victim of cybercrime at some point in their life. Cybercrime costs Canadians $1.4 billion per year and the average cost per crime victim is over $160.
What is Cyber Extortion?
Businesses are increasingly being attacked by cyber criminals, and new forms of cyber crime emerge rapidly, leaving us often one step behind. One example of cyber attacks becoming increasingly popular involves cyber threats and extortion. Cyber threats and extortion is a type of online crime involving an attack or threat of attack against a company to damage, expose, or shut down information belonging to the company unless a ransom is paid to avoid or stop the attack.
How does it work?
In these types of attacks cyber extortionists steal information from businesses and encrypt it so that it can’t be read. The latest backup of data can also be snatched and the original data deleted from the owner’s servers. Cyber extortionists thus take the company data hostage and demand ransom in exchange for the decryption key that would allow the victims to access their own information. However, the criminals won’t necessarily decrypt the files even after the ransom had been paid. Further attacks are possible, either by the same group or another. The type of malware used in these cyber attacks is called ransomware and it is easily spread through spam, phishing emails and malvertising. The ease of spreading the malware, combined with little or no repercussions for criminals, who are hard to track down or prosecute, makes cyber extortion a very lucrative undertaking. Often, cyber extortionists’ worst case scenario is not getting a payment from the victim. In many cases, amount of money asked for ransom is significantly lower than the potential financial loss for the company, so that it is easier for the company to pay the ransom and move on. These types of attacks, unless they happened at a large public company or a government entity, often don’t get reported to authorities and never reach the public. The victims often don’t want to risk their reputation or destroy consumer confidence.
How can businesses protect themselves?
To manage and minimize the potential damage from a cyber attack, companies should employ a comprehensive cyber risk management strategy that along with a cyber insurance also includes appropriate loss control techniques, an assessment of company’s networks vulnerabilities, and employee security awareness training. There are many different cyber insurance policies out there providing various coverages. Businesses should make sure that their cyber insurance policy coveres costs in case the company is unable to access its computer system, the system is infected by a virus, confidential information is compromised, or its brand and reputation is tarnished by posts on social media. In addition, the policy should cover the cost of independent computer security consultant to assess any threats, prevent immediate threats, offer reward to prevent perpetrators of the threat and reimbursement of any ransom the company is required to pay in the event above measures fail to mitigate the threat against them.
