Initially, the ideal hacking style is for cyber attackers to access a company’s server, gain access to sensitive data and use it for own profit. Good examples are the case of Wannacry, the biggest ransomware outbreak in history, and the Equifax data breach that exposed personal information of nearly half of the U.S population.
Currently, however, the new threat on the rise is that hackers resort to blackmailing companies to pay in return for not uncovering compromising information about them, or for not revealing vulnerabilities discovered in their system to third parties.
This threat is tricky because, first, there’s no proof that the hacker really discovered a vulnerability. Secondly, if the hacker really discovered one, there’s no assurance that he’ll keep the vulnerability hidden from third parties after being paid. And lastly, if paid, there are chances that such hacker will go to lengths to reap the company of more money, and this could mean utilizing the discovered vulnerability to create/uncover more vulnerabilities.
With that in mind, paying vulnerability-hackers should be the last go-to for any business. Instead, businesses can do any of the following:
- Launching an express bug bounty for white-hat hackers
By offering rewards and recognition to any individual that discovers and reports a bug in a platform, bug bounty programs make it possible for businesses to tackle possible security threats by crowdsourcing. This saves organizations from post hacks that can endanger customers’ data and ruin brand image.
Upon being approached by vulnerability-hackers, businesses can immediately contact a bug bounty platform to organize a pool of security researchers to launch an urgent bug bounty.
If done properly and in due time, information will be put out that whoever discovers a security flaw will be rewarded and in no time, whatever vulnerability that was initially discovered by the hacker will be uncovered and fixed without the company having to gamble on the hacker.
While encryption, antimalware software and other security systems are ideal for preventing and tackling many security threats, bug bounties are one of the most effective in dealing with blackmail-hackers.
The recent prevalent case of blackmailing by hackers cannot be prevented by setting up firewalls or launching different software, but by launching a crowd of white-hat hackers to discover the said vulnerability so the company can fix it.
- Securing vital aspects of the organization
In every organization, some aspects are bound to be more important than others — these could be aspects that deal with client relations, consumer data and info and so on.
For a blackmail-hacker to get an organization on the edge where they’ll have no other option but to pay, such hackers will most often target these vital aspects and information.
Hence, one effective security measure to take at a time of blackmail threat is to tighten the security around the data and information most vital to your organization.
This way, even if the vulnerability discovered by the hacker isn’t one of the aspects secured, the damage to be done to the organization will be reduced.
- Hack-proofing the brand
Just as many bug bounty platforms have surfaced to help organizations easily launch an urgent bounty, there are platforms that specialize in not just launching a bounty, but also in temporarily hack-proofing the organization from hackers until the vulnerability in question is discovered.
With this hack-proof in place, the hacker or any third-party aware of the vulnerability will temporarily be shut off from the system/server and will not be able to utilize the vulnerability against the organization for a certain period of time. This approach will buy the organization some time to discover the vulnerability in question.
Businesses can use this security measure to remain safe while either searching for the vulnerability or while fixing it.
- Negotiating and arriving at an agreement
As stated above, paying blackmailers should be the last option any businesses should resort to.
However, when a hacker provides solid proof of a vulnerability discovered in your platform and such vulnerability poses great threat to your brand if exposed, it may be best to simply view the blackmailer as an individual who discovered a vulnerability, reported it and is hoping to get a reward for it — just like the white-hat hackers who take part in a bug bounty program.
The important thing here is to negotiate a rate that won’t wreck your company’s finances and get the blackmailer to come to an agreement as to never expose the vulnerability after being paid.
If such agreement can be met, then a business can proceed to meet the hacker’s demands and immediately fix the discovered vulnerability, and also use the vulnerability as a clue to uncover and fix similar vulnerabilities, if any.