Cyber extortion of small and midsize businesses has become the latest computer crime trend.
Computer hackers target small and midsize businesses, expecting that the companies will pay up in order to keep their businesses going and stay out of the newspapers. The hackers ask for a manageable sum rather than millions of dollars, knowing it is more likely they will get paid if the sum is one the company can afford.
According to a recent InformationWeekstudy by Carnegie Mellon University graduate student Gregory Bednarski, here is how a typical extortion attempt starts:
“A typical Monday, you spend most of the morning catching up on industry reports, scheduling meetings, and reading e-mail. After answering or filing your important messages, you come across a note titled ‘Customer Information’, but from an unfamiliar sender. You open the message only to find a listing of your largest customers’ accounts, credit, order histories, and forecasts. *** Attached to the information is a simple threat: give us cash, or this information goes public. $27,000 divided equally and deposited into three separate foreign accounts, all in a country with tenuous relations with your government, before the week’s end. What do you do?”
Well for one thing, you pray it doesn’t happen to your company or to your IT provider.
A recent attack was a nightmare for a small Cleveland IT firm, as profiled in this Craintech article by journalist Jeff Stacklin. The company ended up shutting down its computer system for a week. The company had to rebuild 40 servers and employees had to work around the clock for a week to fix the situation, to the tune of $250,000 extra expense.
To top it all off, when the company did not pay up, the extortionists sent its clients emails telling them that the company had failed to secure their data.
And just how prevalent is this cyber crime? The InformationWeek study referenced above showed that of the companies surveyed, 17% had a cyber-extortion threat made against them. In 18% of those cases, the extortion attempt was an inside job, involving an employee.
And in 41% of cases the victimized company was not even pursuing identification of the extortionist, a figure which implies that some cyber crimes go unreported — or at least that the criminals get away with it.