Sidestepping the Threat Posed by Breached Data
The countless data breaches perpetrated on businesses and organizations of all sizes point to the fact that cybersecurity is, well, difficult at best. A quick look at the World’s Biggest Data Breaches provides startling visual proof of this sad fact. At the same time, change is hard for consumers. They don’t want their identity or other online information stolen, but the majority of them can’t be bothered with best practices like frequently changing their passwords.
In light of these twin challenges, organizations can feel overwhelmed or disillusioned when it comes to cybersecurity. However, there is a way for organizations to grapple with these issues and still protect their entity and their customers. Because, ultimately, it’s all about the data. As long as it’s valuable, it will be stolen. Efforts to devalue data will be the most impactful actions an organization can take to reduce the number, scope and impact of breaches.
So, how is this accomplished?
Chinks in the IT Security Armor
The data theft genie can’t be put back in the bottle. In other words, once data is stolen, there’s no getting it back. In addition, cybercriminals have numerous ways to attack – and they keep finding more. It’s similar to physical crime or terrorism in that way. It’s not feasible to protect a soccer stadium, for example, against all possible attack vectors—from every entrance, from the sky, from underground—let alone means of attack that security teams haven’t thought of yet.
That’s why data security is a constant, uphill battle – there are just so many vulnerabilities within an organization’s armor. The fact is that every time we get it wrong, something bad happens. And, sometimes it is very bad, as in the stock-plummeting, customers-fleeing, or literally company-destroying bad.
Understanding Your Users
In order to avoid this kind of scenario, organizations must create a culture of security.
Education is key – the mindset has to change, not just the product. This requires a proactive approach versus a reactive one. Being proactive means observing consumer behavior with much higher fidelity. Traditionally, analysis has tended to be rather superficial. To truly understand and know the user, you need to look deeper. This includes looking for signals you wouldn’t normally look for—how fast someone types, how hard they hit the keys, how a user interacts with a website, etc. —the types of signals that are often ignored.
When all of these signals are combines, they form a distinctive user profile based on behavior that is far more detailed and reliable than standards like passwords and usernames. Knowing a consumer’s true behavior transcends reliance on static identities.
Removing the Incentive for Fraud
This devalues data, because if the right signals are in place, criminals can’t emulate behaviors with enough fidelity to truly take control of a user’s identity. The focus changes from the user’s username, password and perhaps location or secret question to his or her unique identifying behaviors. Deriving identification from measuring these behavioral indicators is so powerful expressly because authenticators can’t be replicated.
So then, as unique user profiles are built with these authenticators, fraudulent actors can’t use the data they’ve stolen. It’s no longer merely an issue of plugging stolen data into a login screen and taking over an account or completing fraudulent transactions; fraudsters would have to exactly mimic every behavior in the profile – an impossible task.
In this way, passwords, usernames, payment details and more become unusable. Why go to the trouble of stealing something you can’t use? The incentive for fraudsters to steal this kind of data is zero. In other words, the data has been devalued.
Unless human nature suddenly changes, malicious actors are going to try to keep stealing data. They tend to take the path of least resistance, as well, nab the loot that’s easiest to steal and offers the biggest pay-off. If you could change the scenario so that the loot is unusable and therefore worthless to them, why wouldn’t you?
By creating user profiles based on behaviors that cannot be imitated, that is precisely what you can do. Any customer account data that is obtained on the dark web is useless to fraudsters, because passwords and usernames alone cannot outsmart a fraud detection and prevention system based on behavior-based authentication. And once it becomes known in the online underworld that your data is unusable for fraud, the risk of being breached goes down. Your organization is safer, your customers are safer and fraudsters will have to go elsewhere.
About the Author
Robert Capps is the Vice President of Business Development for NuData Security. He is a recognized technologist, thought leader and advisor with more than 20 years of experience in the design, management and protection of complex information systems – leveraging people, process and technology to counter cyber risks.
Edited by Peter Bernstein