This week, we heard news of the latest high-profile data breach from Uber, which disclosed that in 2016, hackers stole information on 57 million drivers and riders, including names, email addresses, phone numbers and driver license data, and that this breach was not only kept secret, but that the company paid the hackers a $100,000 ransom to keep quiet. The company did fire its top executives in response and is now working with a former National Security Agency lawyer and a security firm to investigate, but in many ways the damage is done.
They are not the only ones.
According to Security Magazine, every 39 seconds, there is an attack on a computer with internet access and Cybersecurity Ventures predicts that a business will fall victim to a ransomware attack every 14 seconds by 2019. Among the other companies that reported successful attacks or breaches in 2017 are: Intercontinental Hotel Group, Arby’s, Verifone, Dun & Bradstreet, Gmail, Kmart, Blue Cross Blue Shield, Verizon, Equifax, Securities & Exchange Commission, Deloitte, Sonic, Whole Foods and Forever 21. More than nine billion records have been stolen since 2013.
Some may argue that all of this is at best due to lackadaisical cybersecurity practices and policies that make people complacent into thinking they have built strong security when in fact they are just checking the boxes for compliance. At worst, it is negligence. A survey commissioned by Nasdaq last year revealed that 90% of corporate executives were not prepared to handle a major attack. This also means that they probably do not understand what the ramifications of the wholesale breaches are to their business.
What seems to really be lacking, then, is a culture of accountability and responsibility to not only raise the bar in defining what strong security is, but more importantly, by all institutions to change the way in which they process identity information and how they assess whether a person is who they claim to be when they transact remotely.
We need to think about what fraudsters do with this breached information. They use it not only to apply for credit under stolen and assumed identities, but also, and perhaps scarier, to refine their social engineering tactics to further their game, take over accounts and dig deeper into insider networks.
If our health care organizations, financial institutions and government agencies stopped relying on static and fixed information like passwords, tokens, and name and date of birth information to validate identity, and instead utilized more dynamic methods to authenticate people doing business online, perhaps all these breaches would not have as much of an impact. The data that is being stolen would simply not be as valuable if other dimensions were relied on to ensure the identity of a person behind an online session. Coming up with a person’s name, their pet’s name or their mother’s maiden name does not validate their identity.
This is not just a matter of security for the sake of individual transactions. As digital transformation takes hold across all industries and the internet of things matures, it will be impossible to ignore the security requirements that are necessary to establish consumer trust as the data, and the processes used to establish identity, become linked to a larger value chain.
Having this mindset is good business. According to Accenture’s 2017 Cost of Cybercrime Study, companies deploying advanced identity and access governance tools experience cost savings of $2.4 million on average per year. Figuring in operational costs of dealing with consumer-facing fraud, and there are potential savings of $200 million per year for a large bank that deploys behavioral biometrics for continuous authentication and fraud prevention in its digital channels.
It’s past time to start thinking differently about identity and change the rules of the game.
Frances Zelazny is the vice president of BioCatch, a cybersecurity company that delivers behavioral biometrics, analyzing human-device interactions to protect users and data.