Why 2016 Is the Year of Online Extortion

And what HR must do about it

By Aliah D. Wright Jul 18, 2016


Although some have cautioned that 2016 is the year for online extortion and predict an increase in cyber threats against businesses, organizations are not as prepared as they could be. What's more, the cost of data breaches is expected to rise this year.

 Those are the findings from recent reports on data security—findings that resonate with companies that have been targets of cyberattacks.

In recent months, a number companies have been asked to pay large sums of money after malicious software, known as ransomware, blocked access to their computer systems.

And although a report released by the Institute for Critical Infrastructure Technology, a Washington, D.C., cybersecurity think tank, states that "2016 will be the year ransomware holds America hostage," many companies just aren't prepared.

For cybercriminals, attacking corporations and stealing their data is big business globally.

The 11th annual Poneman Institute 2016 Cost of Data Breach Study, which the institute conducted with IBM, states that "the average total cost of a data breach for the 383 companies participating in this research increased from $3.79 [million] in 2015 to $4 million" in 2016.

"When armed with the appropriate skills, [cybercriminals] can push out campaigns from any part of the world. And [those campaigns] will keep increasing because their return on investment keeps growing," Glen Gooding, business unit executive, IBM Security Services said in an interview with the Financial Review.

Poneman, which conducts independent research on privacy, data protection and information security, noted that "in addition to cost data, our global study looks at the likelihood of a company having one or more data breach occurrences in the next 24 months."

Cost of Breaches Rising

The study reveals that "the average cost incurred for each lost or stolen record containing sensitive and confidential information increased from $154 to $158. We estimate a 26 percent probability of a material data breach involving 10,000 lost or stolen records."

Poneman's study was conducted in 12 countries and areas: the United States, Germany, Canada, France, the United Kingdom, Italy, Japan, Australia, the Arabic cluster, Brazil, India and, for the first time, South Africa.

Data protection remains a major weak spot for many organizations, according to Los Angeles-based global security software company Trend Micro. Its 2016 Security Readiness Survey, conducted between January and June of this year, found that only 18 percent of respondents said they are adequately prepared for cyber threats, including data breaches. Meanwhile, another 18 percent said they are not ready for attacks involving online extortion, mobile malware and other threats designed to target mobile payment systems.

Some believe it's up to HR to mitigate threats to cybersecurity.

"HR serves as the front line of protection by making security awareness and training an integral part of the company's culture," said Christopher Budd, global threat communications manager for Trend Micro, in an interview with SHRM Online. He said that "making security policies an integrated and integral part of the company's overall policies shows that security isn't something you do once in a while, but something you do all the time as part of your work."

Trend Micro also made the following predictions in its survey report:

  • 2016 will be the year of online extortion.
  • Data breaches will be used by hacktivists (hackers turned activists) to systematically destroy their targets.
  • Despite the need for data protection officers, less than 50 percent of organizations will have them by the end of 2016.
  • Cybercrime legislation will take a significant step toward becoming a truly global movement.

​ 'It Sometimes Pays to Be a Bit Paranoid'

Simply training employees to be careful about what they click on isn't enough.

"It's a start [but], no, it's not enough," Budd said. "Teaching employees to understand that it's OK to check with a sender before clicking or opening or accepting any file is better."

That type of training might have helped an employee at Alpha Payroll Services who earlier this year complied with a cybercriminal's request for all employees' W-2 forms.

As Robert Siciliano, an identity theft expert with BestIDTheftCompanys.com, told SHRM Online, "Every e-mail requesting sensitive data should be suspect and followed up with a phone call. Clicking links and providing sensitive data without follow-up makes an HR professional no smarter than someone who falls for a 'prince' in a Nigerian [e-mail] scam."

Not everyone thinks following up with a sender is always so simple.

Said Eduard Goodman, chief privacy officer of Scottsdale, Ariz.-based identity theft protection company IDT911, "Many of these scams work because they target a person within the organization who has just enough authority to have all of the access but not enough authority to feel they can question a request from the CEO, CFO, general counsel or head of HR. The reflex is to simply comply with the request. By making sure that the organization is one where everyone understands that it sometimes pays to be a bit paranoid, everyone can be protected and can be the protector against these scams."


Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect