Extortion and blackmailing with stolen private information is not unusual. The types of data that hackers like to use to blackmail other people include photographs that show them in compromising or embarrassing situations. They also look for messages that may contain private information. They are even looking for health information that they believe you would not want to become public. As an example, hackers stole confidential therapy records from a psychotherapy center in Finland just this year.

Tips to avoid being blackmailed by hackers with stolen private data and response to blackmail and extortion threats.

What Do Hackers typically Ask for or Want?

Hackers usually want money. If they succeed in finding private information that people would do anything to keep private, they know that they found the right targets. They blackmail these victims and threaten to release the information on the internet unless they receive payment. In the example described above, victims were told to pay the hackers in bitcoin.

What Are Some Related Statistics?

Sextortion is when hackers blackmail victims with photographs or video that feature the victims in sexually explicit situations, and it is growing in Great Britain. According to the National Crime Center in the U.K., 1,484 people reported that they were the victims of sextortion in 2018. This year, the agency received 703 reports. In Australia, a study from RMIT University showed that one in 10 people were extorted with the threat of the release of compromising pictures this year.

The problem is only going to get worse. Experts are predicting that hackers are going to steal as many as 33 billion records in 2023 alone. This year, they found that 52% of 4,000 breaches were the result of hacking. They also learned that 70% of all of these breaches were done for financial gain. In most cases, hackers get into other people’s accounts by guessing the owners’ passwords.

Similar Cases that Occurred Over the Years

In 2015, TalkTalk Telecom Group was hacked, and the company’s senior executives were the targets. The six executives received orders to pay the hackers in bitcoin so that they wouldn’t sell the customers’ personal information on the internet. These executives know that their company’s reputation is on the line, so they do not want this information to be placed on the internet. The company would no longer be seen as a trustworthy brand if that were to happen.

What Can People Do When They Are Blackmailed with Stolen Information?

One thing that people are beginning to do in these situations is explore injunctive relief against these hackers. This is a good plan for several reasons, including the following:

  • Taking the case to court demonstrates the fact that you did everything that you could to respond to this threat. This will be important if the data that was stolen belongs to your customers.
  • If you have a court order, it will be easier for you to convince third-party companies to remove the information after it has been placed on their websites.
  • Obtaining an injunction can be part of your plan to let your customers know that there has been a security breach on your website.
  • The stolen information may end up in the hands of media personnel. Before these people will be able to publish the story, they will be required to show the court that there is public interest in it.

Where Should People Report Blackmail Cases?

In Finland, hackers are telling their victims to pay them with bitcoin, but the authorities are telling them not to do that. Instead, they suggest that you download the emails you receive and take them to the police station. Then, you can file a police report. You don’t want to pay these hackers because that doesn’t ensure that your information will not be released.

Police officials also advise people not to talk to a blackmailer after they have been contacted.

What Precautionary Steps Can You Take to Avoid Being Hacked?

In hacking cases, criminals illegally access your devices or your websites for the purpose of stealing your personal information. These people use the best technology, and they are hard to find because they are often located outside of the countries that they target. With all of their expertise and equipment, they can walk away with a lot of sensitive information.

Fortunately, there are just two main ways that hackers find your personal information, so we can easily find ways to protect ourselves from them. One way that hackers steal information is to install spyware on your device. They do this by sending it to you in an email, an attachment, an image, a link or a message. The spyware can then send your personal information to the hackers without your knowledge.

The spyware also allows hackers to figure out your passwords, account numbers and other sensitive information. The spyware makes it possible to hack websites where you have your financial information stored or social media accounts that have other personal information on file. It may seem like you couldn’t possibly protect everything from prying eyes, but it is possible to do. Below are some tips to avoid being the target of hackers and their extortion or blackmail demands:

Install Antimalware and Antivirus Software on Your Devices

Install a firewall along with your antivirus software, and make sure that these are always up to date. Paying for these programs is well worth the money because they will tell you when there is a new threat that could harm your devices. They also remove any malicious software that hackers place on your devices. These programs may contain malware, so you have to be very careful about the ones you choose to download on to your devices.

Install the Latest Versions of Security Software

Web browsers, music players and email programs need to be updated on a regular basis. When your system informs you that an update is available, make sure that you take advantage of it.

Make Sure that Your Connections Are Disabled when They Are not in Use

If you are connecting to the internet via Bluetooth or Wi-Fi, make sure these connections are disabled when you aren’t using them. If you leave them on, people can access your network and your devices, and you would never know that it was happening.

How Can You Protect Your Online Accounts?

It’s also important to protect your online accounts. Some examples are your email accounts and your social media accounts. Keep your information safe by doing the following:

If an Email Seems Suspicious, Delete It

If an email appears to be spam or just suspicious, don’t open it. Delete it immediately. If the email came from a trusted friend or family member, contact that person just to make sure that he or she sent it.

Only Use a Device if it Is Secure

Make sure that you only visit your online accounts from your personal computer, smartphone or tablet. The internet connection you use to access the internet should also be secure. Public internet connections could be infected with malware or spyware, and the internet connection may also be insecure. If it is necessary to use a public connection, make sure that you log out right after you are finished.

Do Your Best to Create Strong Passwords

One of the best ways to make sure that your online accounts are never hacked is to change your passwords on a regular basis. A strong password has 12 characters and also has special characters, letters and numbers. Make sure that people will not be able to easily guess them. Each online account needs to have a different password. If a hacker finds his way into one of your accounts, your other accounts will be safe.

If you are the victim of hacking, you will be within your rights to file a complaint with the your local government agency such as the Federal Bureau of Investigations in the US.

Certified in Data Protection

Data has become crucial for the success and survival of almost any business in today’s world. When data is stolen, even the most successful businesses can be put into bankruptcy.

Importance of Layered Security in Cyber Defense

Protecting digital systems is difficult because there are a wide range of known and unknown threats that can lead to a data breach. Businesses seeking to protect their data often use either layered security or defense in depth. Unfortunately, misunderstandings about what layered security and defense in depth mean cause errors in decision-making and delays in the implementation of security practices. Therefore, it is important to have a strong understanding of these two terms so that your organization can stay protected in today’s digital threat environment.

Why Layered Security Matters

Layered security recognizes that there is no single point in a computer system that can ever be fully secure. Therefore, layered security seeks to implement multiple mitigating layers of protection so that intruders have to break through many security measures at the same time. Hackers are often able to figure out how to break one layer of a system’s security, but properly implemented layered security forces hackers to break hundreds of additional layers of security at the same time. In practice, hackers are almost never able to simultaneously get through all of the security measures within a system, so layered security is an effective protection method.

Layered security emphasizes the importance of using secure networks, routers, computers, and servers. Sensitive data is usually quarantined in its own part of a network so that potentially compromised systems are unable to access this data. Layered security even takes into account the importance of good internal controls, premises security, and the utilization of trustworthy security professionals. When layered security is used properly, sensitive data can be protected against highly sophisticated adversaries.

Objectives of Layered Security

The goal of layered security is to prevent a single security vulnerability from compromising an entire system. The layered security approach that is widely used in today’s systems aims to ensure that each component of a system’s defense has as many backups as possible. These backups are designed to counter any possible security defects that could arise in the event of a sophisticated breach.

Formally, layered security is divided into three objectives:

Prevention: The best way to protect a system is to prevent attacks from happening in the first place.
Detection: When attacks are detected quickly, security professionals can respond with appropriate countermeasures while filling security gaps that have been discovered.
Response: Security professionals should always respond immediately when security gaps are found.

Layered Security vs. Defense in Depth

Defense in depth takes a different approach to security practices. Unlike in layered security, defense in depth assumes that no system can ever be secure. As a result, defense in depth seeks to add as many hurdles as possible to slow down hackers trying to break into a system.

In practice, defense in depth uses most of the security practices that are utilized in layered security. However, defense in depth strategies usually go another step further by implementing a wider range of controls and using tactics that assume the existence of active intrusions. Deception is often used in defense of depth, such as by adding clues designed to trick an adversary into thinking sensitive data is on a nonexistent server. Many tactics also aim to slow down an adversary with the goal of creating enough frustration to make the adversary give up.

Regulations on Layered Security

Data security is crucial in the modern economy, so many regulations have been implemented in an attempt to safeguard consumer information. The FFIEC published a document called “Authentication in an Internet Banking Environment.” This legally enforceable document requires financial services businesses to implement measures to minimize data breaches. GDPR is another important law since it specifies rules that companies are required to follow to keep data within EU jurisdiction while protecting it from hackers. The Californian Consumer Privacy Act is also an important law in the security field since it imposes liabilities on businesses that fail to safeguard customer information.

The 7 Security Layers

Information security specialists divide the concept of security layers into seven layers. Intruders attempting to overtake a system must sequentially break through each layer. Therefore, optimizing these seven layers is the focus of any information security professional.

1. Security Policies

Most intrusions fundamentally happen because poor decisions are made by managers who are responsible for safeguarding computer systems. Security managers are responsible for implementing security policies that prevent unauthorized access. Having strong security policies can systematically prevent data breaches while also increasing awareness of security protocols within your organization.

2. Premises Security

Data has become so valuable that hackers often resort to attacks that involve breaking into a facility or even infiltrating an organization from the inside. As a result, strong premises security is crucial for preventing criminal organizations from breaking in. Premises security can also help to monitor employees who have access to sensitive systems. Walls, cameras, metal detectors, and security guards are only a sample of the assets organizations with sensitive data need to keep their facilities safe.

3. Network Security

Once your facility is secure, you will need to turn your attention to securing your network. Hackers need access to your network before they can attempt to break into computers and servers within your organization. You can keep hackers out by properly configuring modern routers and firewalls. Only one vulnerability is needed to enable hackers to break into your network, and new vulnerabilities emerge every day. Therefore, implementing proper network security practices requires a significant amount of time and effort.

4. Software-Based Malware Protection

Today’s malware protection software is much more advanced than it was in the recent past. Software-based solutions come with a broad range of features, including:

  • intrusion detection systems,
  • encryption tools,
  • anti-spam tools,
  • software-based firewalls, and
  • virus detection software.

Proper protection at the software level usually necessitates using only one software program that comes with a range of applications and extensions.

5. Access Control Measures

Security professionals know that unauthorized access is usually the ultimate cause of a data breach. Consequently, organizations seeking to protect important data must utilize best practices for controlling access. Access control professionals ensure that secure passwords are used throughout an organization and that a minimal number of users have access to sensitive systems.

6. Data Protection

It is also important to implement protections that shield sensitive information from being stolen if an unauthorized user gets into one of your systems. Data should always be encrypted when it is stored, and keys must be saved using secure practices. Organizations should also make use of data backups to avoid losing important information when hard drives fail or when an intruder deletes data within a system.

7. Monitoring and Testing

The best way to keep your systems secure is to test them regularly. Many organizations bring in teams of professional hackers who are rewarded with big commissions if they succeed at breaking into a computer system. You should also actively monitor your systems for signs of unauthorized access and for opportunities for improvements. By working to continuously improve the security of your computer systems, you can keep your organization protected against new threats while decreasing the probability of experiencing a data breach in the future.

Identity and access management certifications

The Federal Financial Institutions Examination Council is an interagency body within the U.S. government tasked with ensuring that rules governing financial institutions are enforced uniformly. When online banking became widespread in the early 2000s, the FFIEC decided to introduce standardized guidelines to help banks offering online banking services to comply with data security regulations. This effort culminated in the publication of a document titled “Authentication in an Internet Banking Environment” or AIBE for the purposes of this article.

Authentication in an Internet Banking Environment is only one of many safeguards that have been introduced to protect the clients of financial institutions.

When AIBE was first introduced, it was a relatively straightforward document. It is believed that the FFIEC may not have foreseen how important the document would become as digitalization disrupted banking and payments over the next decade. Nevertheless, compliance with AIBE retroactively became mandatory for financial institutions almost a decade after its publication, and the document has been significantly expanded in recent years to account for its importance in today’s financial system.

What Is AIBE?

AIBE was originally published in October 2005 as a risk management framework. At the time, financial institutions attempting to remain in compliance were challenged by a web of conflicting rules and documents governing how financial platforms were expected to be secured. Therefore, industry experts established a study group that was responsible for creating what was to become the final AIBE document.

AIBE primarily outlines the additional steps that financial institutions are expected to take when securing their platforms. For instance, it specifies that online banking platforms should have at least three security questions because research proves that additional questions strongly correlate with a reduction in unauthorized access. At the time, security questions were common on most websites, but AIBE specified that financial institutions were expected to go the extra mile to protect their customers. Dozens of similar rules were introduced under AIBE that were designed to ensure that security practices were aligned with the high level of importance that consumers place on the security of their financial assets.

Is AIBE Legally Enforceable?

When AIBE was introduced, it was not technically enforceable. Of course, it would act as a guideline to help courts decide which parties are liable in the event of a data breach, so many attorneys regarded it as legally enforceable. Nevertheless, banks still had the right to ignore certain elements of AIBE that they found objectionable.

The enforceability of AIBE changed on January 1, 2012, when the FDIC published guidance requiring that financial institutions fully comply with AIBE. By that time, most financial institutions were already introducing security measures that went far beyond the requirements detailed in AIBE, but the FDIC decided to convert AIBE into a legally enforceable minimum standard to ensure that all U.S. banks made a serious effort to protect their customers.

Updates to AIBE

AIBE was routinely updated after it became legally enforceable. The document was not originally intended to function as a regulatory framework, so updates were needed to account for its new significance.

Shortly before the FDIC made AIBE enforceable, the FFIEC introduced a document labeled “Supplement to Authentication in an Internet Banking Environment” in June 2011. The document aimed to reinforce the fact that following the security practices outlined in the original document remained crucial in the maturing space of online banking. Additionally, it modified some of the security practices outlined in the original document to account for newly discovered vulnerabilities and the changing digital landscape.

Most importantly, the supplementary document added additional expectations in layered security and client authentication. Additional expectations were outlined that required banks to educate their customers on the importance of following good security practices.

Companies That Must Comply With AIBE

Today, all financial institutions that provide financial platforms to their clients are required to comply with AIBE. Therefore, nearly all businesses have to comply if they offer products related to investments, insurance, banking, and securities trading.

Requirements Under AIBE

AIBE sought to provide the full list of security requirements that financial institutions were expected to implement, so explaining the complete array of regulations under AIBE goes outside the scope of this article. Nevertheless, the requirements under AIBE can be summarized as covering three main areas:

1. Internal controls: Financial institutions are required to conduct annual risk assessments to ensure that their platforms are secure. Larger accounts are required to have additional security measures. Financial institutions are also required to introduce customer awareness programs that are tailored to the specific service that they offer.

2. Layered security: Requirements were introduced to make financial institutions develop systems designed to detect fraudulent or suspicious activity. Administrative controls were also made mandatory for customers who use business accounts.

3. Authentication: AIBE clarified that many of the basic device identification strategies that are widely used in e-commerce are not sufficient for financial institutions. It also clarified that basic challenge questions were not enough to protect financial institutions from liability in the event of a data breach.

How to Achieve Compliance

If you are responsible for securing a financial institution’s online platforms, understanding how to adequately comply with AIBE is crucial for avoiding lawsuits and even criminal liability. To comply with AIBE, you should start by reading the document itself. Additionally, make sure that you review the supplementary guidance that the FFIEC has published.

However, fully complying with AIBE is difficult to do on your own. In most cases, you will want to recruit a new employee who is experienced in complying with AIBE. You may also need to work with a security company that specializes in AIBE compliance.

AIBE Compliance Helps to Improve Online Business Security

Although complying with AIBE can be difficult, the reality is that the process of achieving compliance helps to enhance the security of your information systems. You will institute a broad range of access management systems and internal controls that will significantly reduce the chances of your company experiencing a data breach. Therefore, your business will be more sustainable, insurance costs can be reduced, and you can provide a wider range of services.

When your business becomes AIBE-compliant, you can advertise this fact to your customers. As a result, they can feel more secure when they transact through your platform. Clients who are very concerned with security will then be more likely to switch over to your company.

Using the AIBE Framework to Protect Your Business

It is important to understand that the FDIC only made AIBE legally enforceable to help financial institutions protect their clients with the best security practices available. If your business is not required to comply with AIBE, achieving voluntary compliance can still make sense in many cases to demonstrate a good-faith attempt to protect the assets under your control. Businesses that experience a data breach can sometimes be shielded from liability in court when they have gone out of their way to protect their customers.

Safeguards Similar to AIBE

AIBE is only one of many safeguards that have been introduced to protect the clients of financial institutions. For instance, NIST Special Publication 800-63-3 provides guidance on how to properly implement two-factor authentication, and this publication has been used in court to sue businesses that experienced a data breach. The Payment Card Industry Data Security Standard is another important law that aims to protect consumers by ensuring that systems used for online transactions are secure. Even GDPR has rules governing how access systems are supposed to be secured.

Identity and access management certifications

Before the rise of the internet, many businesses operated with a local access network. Desktop computers throughout a building had a hardwired connection to local servers and employees could access programs and data stored on the network.

Assessing the Risks of Distributed Blockchain Applications and Distributed Cloud Data Storage

This system had a low level of security risk. To illegally access data, a criminal outside of the organization would need to sneak into the building or persuade an employee to copy data onto a disk.

The internet greatly improved the ability of organizations to communicate with the world, but it also made networks vulnerable to attack. If a criminal can access the network, all of the data on the server becomes vulnerable. The fear of data breaches, ransomware and other malware became a daily reality for most businesses.

The Blockchain Impact

The advent of blockchain technology has created another way for organizations to conduct online business. Blockchain acts as a digital record of transactions. For most people, they are familiar with blockchain in terms of person-to-person financial exchanges. For example, cryptocurrencies like Bitcoin allow people to send and receive money without requiring a third party like a bank.

However, many other applications can use the blockchain model. Distributed applications, or dApps, allow organizations to access software programs and share data within a closed network of users.

An important difference between the older LAN model and a dApp is that the software lives on multiple nodes within the community. Coupling a dApp with a cloud-based storage solution creates a secure but flexible way for a company to work cooperatively online.

Benefits of a dApp

Many organizations are attracted to dApps because it removes some of the risks of storing information with a third party like AWS. Tech-savvy employees trust dApps because they are not dependent on a larger company. The blockchain structure means that the user community manages the software. In most cases, the software is open source, and changes require community consensus.

Using a dApp protects companies from data loss. When companies store all their information on a central server, a natural disaster can destroy the data. Ransomware attacks can also hold local servers hostage. By storing information and applications over a distributed network, losing access to a server ceases to be an emergency. So long as one node is active, the network can still recover and function.

Security Risks of Blockchain, dApps and Cloud-Based Storage

Anywhere there is centralized data storage, it is attractive to cybercriminals. Cloud-based solutions like dApps and distributed cloud storage can keep data safe, but they are not without security risks.

Human Error

No matter how advanced the technology, there are still fallible human beings logging into the online community. If a cybercriminal can access the dApp, there can still be a data breach. Because dApps allow for remote connections, an open device stolen at a coffee shop can leave the network vulnerable. Human error in a successful spearphishing attack can reward criminals with similar access.

Open Source Issues

One of the attractions of dApps is the open-source nature of the code. Everyone in the community can see what programs do and how they work. However, when cybercriminals manage to get images of the code, it is an easy matter to search the program for vulnerabilities.

Because this is a new technology, there is still a learning curve around best practices. There have been cases where the dApp code contains crypto key information. If the code accidentally contains private information or other access information, the dApp will be vulnerable to attack. As a rule, developers should minimize the amount of data that sits in the smart contracts of the blockchain structure.

Data Issues

Although the framework is changing, dApps are tied to centralized data storage sites. This connection means that data breaches are still a possibility even with a cloud-based solution.

Keeping dApps Safe

As more businesses migrate to dApps and other cloud-based structures, it is important to keep safety and security in mind. Even as technology changes, cybercriminals will look for ways to infiltrate it.

Protect the Keys

Users access dApps using private cryptographic keys. Using cryptography to verify a user’s identity is an excellent security measure so long as no one else gets the key. IT departments must be certain that key information does not end up embedded in the dApp or in a public file. They also must work to make certain no one in the organization gives their key information away.

Protect User Information

Before uploading files to a cloud-based storage solution, be certain that you do not include information that could seriously damage your company in a data breach. Users should store their sensitive data locally.

Educate Users on Safety

As with most technology, security issues are often the result of lax security practices. Even though dApps may be more secure than other remote networks, they are still vulnerable. IT departments must regularly train employees to keep login information safe. An organization may want to employ a two-step verification process around requests for sensitive information.

dApps and cloud data storage are changing the online capabilities of many businesses. With proper security measures in place, they are a safe way to increase productivity and flexibility on the web.

Identity and access management certifications