Cyberthugs targeting companies with ransomware based on extortion amount for data

Cyberthugs are targeting companies with ransomware based on what valuable data is held and how much can be extorted for data.

As if the steady rise of ransomware isn’t alarming enough, businesses that get hit with ransomware may not be unlucky targets of opportunity, but targets of choice as cyberthugs are setting ransom demands based on how much valuable data a business has.

That is just one cybersecurity and online privacy trend found in the 2016 Data Protection and Breach Readiness Guide. With a nod to Data Privacy Day, the Online Trust Alliance (OTA) released its new guide as well as key findings from its analysis.

Ransomware and extortion trends

Regarding ransomware, OTA found that “recent ransom demands have shifted from opportunistic extortion to being market-based – meaning cybercriminals are targeting businesses with more valuable data and varying how much they are trying to extort from those companies based on a variety of factors.”

“Much like surge pricing for taxis, cybercriminals now target and calculate their ransomware pricing based on company size, market value and much more,” said Craig Spiezle, Executive Director and President of OTA. “Cyber-surge pricing of corporate data is becoming widespread, increasing the impact and costs for businesses and their employees worldwide.”

Root causes of data breaches involving the loss of PII

Additionally, OTA said a whopping 91% of data breaches that happened from January to August 2015 could have easily been avoided had servers and software been patched, or if the data had been encrypted, or had employees not lost their laptops.

After analyzing more than a thousand 2015 breaches which included the loss of personally identifiable information (PII), OTA reported that only 34% of the breaches were a result of being hacked. 30% traced back to employees, some caused by accidents and others by malicious intent – all of which were due to “lack of internal controls.”

The remainder of breaches were broken down as: 9% of incidents were blamed on stolen or misplaced documents; 8% were attributed to social engineering and fraud; 7% were a result of lost or stolen devices.

Key lessons learned

Key lessons learned (pdf) included that there needs to be a shift in attitude for better data security as in stop putting it all on IT and make data stewardship a company-wide issue. Be a “Boy Scout” as in be prepared. The data a company holds may be its most valuable asset, so treat it like it is. If a business uses cloud services or third party providers, do repeated risk assessments before signing a contract and get weekly or monthly reports from the vendors. And remember, “security and privacy are absolutes and must evolve.”

Security best practices

OTA also released a list of 14 baseline security best practices (pdf) which kick off with using encryption for data at rest, in storage and in transit, followed by password management as in if you store passwords then make sure they are hashed and salted or encrypted.

“Improving data security is imperative for businesses as data breaches continue to expose sensitive data, or compromise an organization's back-end systems or online presence,” said Verisign CSO Danny McPherson. “As the online threat landscape evolves, businesses of all sizes must continue to enhance their data security practices in order to protect themselves and their customers from falling victim to cyberattacks and ensure they respond appropriately if and when they do.”

Beside the guides mentioned above, OTA released a risk assessment guide (pdf), forensic basics with do’s and don’ts (pdf), a law enforcement reporting template (pdf), a checklist of data breach remediation service considerations (pdf) and a list of things to consider when evaluating cyber insurance coverage (pdf).

Cyber insurance

Regarding the latter, Pascal Millaire, Vice President of Cyber Insurance at Symantec, said, “Annual cyber insurance premiums are projected to grow tenfold from $2 billion today to $20 billion by 2025. Companies need to heed the advice as outlined in OTA’s guide, including closely examining insurance coverage and any exclusions for failing to adhere to security best practices, procedures and risk controls.”

Tread carefully through the burgeoning cyber insurance market as some firms have believed they were covered only to have their claim rejected such as after a phishing attack. Some other CISOs overwhelmingly believe that third-party software providers should be held liable when vulnerabilities are found in their packed software – an important note since three out of four enterprise apps are produced by third-party software vendors whose software contains flaws listed in the OWASP Top 10. While figuring out what you need your business’s cyber insurance to include, keep in mind that OTA said, “As part of the underwriting process, carriers are increasingly demanding qualitative assessments of their policyholders’ cybersecurity defenses.”

Remember, Data Privacy Day isn’t something a company pretends to care about because it’s trendy one day a year. If you have our data, you’d best protect it and have a plan if you are compromised. If that still doesn’t imprint on a business’s bottom line, then shore up your security defenses to protect our data because cybercriminals are evaluating what it is worth and your company could become the next target.

Copyright © 2016 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.