Recently, the popular social media web service Meetup.com received a threatening email demanding $300 to call off a distributed denial-of-service (DDoS) attack that had just begun on its system. The company made the decision not to pay the ransom demand. That led to an extensive attack that knocked the website off-line for periods of up to 24 hours over the next four days.
The decision not to pay was bold, and Meetup.com has worked to ensure that its members were not affected. In a blog post, the company’s CEO Scott Heiferman was very persuasive in defending the action not to pay what seems a paltry sum. He said the company believed the initial demand was simply an opening test, as the criminals would then push the values up in a painful cycle.
Ironically, the decision to fight and not pay the $300 resulted in much greater IT and public relations (PR) expenses. Not every business has top-shelf public relations, IT, or legal resources at its disposal as Meetup.com has, making it difficult to make a similar decision.
The insurance industry is responding to the risk of cyber extortion with specialized policies that help make available and pay for the valuable IT, legal, and PR services companies need. Policies can also cover the ransom demand if law enforcement or other involved parties deem the payment to be the proper course of action.
Cyber extortion is fast becoming an operational risk that must be managed and planned for. There’s no foolproof way to prevent becoming a victim of a cyber extortion event. Many businesses, government agencies, and individuals are increasingly becoming targets of this often random crime. Preparing a plan of action ahead of time can be highly valuable to a business during a cyber extortion crisis.
Part of the plan of action might be to invest in a cyber insurance policy that provides coverage for cyber extortion. Such a policy could be a real lifesaver and allow a business to make that decision to fight if it were to face the situation that Meetup.com did this month.
To learn more about the cyber extortion coverage offered through ISO Cyber Risk Solutions, please email me at sdougherty@iso.com. Also, make sure to follow me on Twitter @doughertyshawn.
Stay tuned for the next blog post in our Cyber Monday Series.