The Yahoo! data breach of over 1 billion represents the biggest single cyber attack in history, and will undoubtedly be looked back on as a watershed moment for cybersecurity. The most critical takeaway for businesses and CIO’s in particular from the Yahoo breach would be the fact that most consumer data is compromised, and try as we might, we can’t put that genie back in the bottle. Anyone who does business online needs to be aware that consumer identity cannot be ascertained solely based on the knowledge of what was previously confidential consumer identity information and authentication data.
Stolen credentials are big business on the black market, and with over seven billion data records lost or stolen since 2013, criminals have a tremendous amount of consumer data to work with. Consumers haven’t exactly helped themselves, and continue to exhibit the bad habit of reusing the same usernames and passwords across many sites. Couple this with the number of website and online services allowing users to authenticate solely with a username and password, we find ourselves in a perfect storm where companies are taking outsized risks with their customers and their businesses, and may not even know they are doing so.
Even companies who have moved beyond simple login and password, have found that the methods for strong authentication they have employed are driving customers away due to the inconvenience of high friction interactions such as SMS one-time passwords, secret question/answers, or physical authentication devices. Solutions that passively identify users see the strongest interest, and better long-term adoption, with minimal impact on good consumers.
Another developing and worrying threat for CIO’s is the increasing sophistication of phishing. One of the oldest tricks in the fraudster’s playbook is the phishing scam – but the truth is that this technique continues to work, and is getting more and more sophisticated. Over 85% of businesses receive phishing emails, and many are so well targeted and personalized that they have a successful open rate as high as 30%. It is not a question of if you’ll get a phishing email, but when. Does your team know how to recognize a malicious email when they see it?
One successful phishing attack and a fraudster could have access to your critical financial systems, and in some cases, your financial accounts. With the continued evolution of advanced, persistent threats and malware being delivered in spear phishing attacks, everything on your computer and potentially entire network could be vulnerable. We’ve seen this demonstrated in recent high profile data breaches. This is not just limited to your companies’ data, but may include any client information you might hold.
When it comes to post-breach planning and strategy CIOs should work collaboratively with their InfoSec and IT teams, as well as their internal business partners, to take a proactive approach to protecting all consumer data in the same manner as we would the core assets of their organisation. We must move beyond the mindset of establishing minimum security practices to meet the basic standards set forth by the payments industry and the government. All personally identifiable information (PII), including email addresses, names, financial information, personnel data, social security numbers, phone numbers and more, are valuable to criminals. As long as this data continues to see inconsistent protection and is so easy to reuse, hackers will continue to target it for theft. Stolen data is being used to create deep profiles of consumer identity that sell for higher prices in the cyber-underground, and are extremely lucrative for future identity and financial crimes. All personal data entrusted to you by your customers has a dollar value, and like any other currency must be safeguarded. The Federal Trade Commission (FTC) has free resources to help organizations build policies to protect this data. Use it.
Consumer data is always going to be vulnerable, but this does not mean that CIO’s should give up on protecting it. It is their responsibility, alongside the wider members of the business, to limit the options for breaches and to think of consumer data as an asset that is as equally important as any other in their business.
About the author:
Robert Capps is the vice president of Business Development for NuData Security. He is a recognized technologist, thought leader and advisor with more than 20 years of experience in the design, management and protection of complex
Want to read more posts like this? See our full blog here.