Operating in the Face of a Breach

by Robert Capps 0

The cold hard truth is that data breaches aren’t going to stop anytime soon. Since 2005, more than 675 million data records have been involved in breaches in the U.S., according to the Identity Theft Resource Center. That’s a massive number. At the same time, consumer behavior isn’t likely to change any time soon either.

Given these two dilemmas, it’s easy to become overwhelmed or disillusioned when it comes to cybersecurity. However, there is a way for organizations to grapple with these twin challenges and still protect their entity and their customers.

At the end of the day, it’s all about the data. As long as it’s valuable, it will be stolen. Efforts to devalue data will be the most impactful actions an organization can take to reduce the number, scope and impact of breaches. So how is this accomplished? Read on.

IT security, an uphill battle

Historically, there’s been no real way to stem the sale and use of data stolen from breaches. Once it’s gone, it’s gone. In addition, cybercriminals have numerous ways to attack – and they keep finding more. It’s similar to physical crime or terrorism in that way. It’s not feasible to protect a soccer stadium, for example, against all possible attack vectors—from every entrance, from the sky, from underground—let alone means of attack that security teams haven’t thought of yet.

There are so many vulnerabilities within an organization’s armor that data security is a constant, uphill battle. The fact is that every time we get it wrong, something bad happens. Sometimes very bad, as in stock-plummeting, customer-fleeing, company-destroying bad.

Do you know really know your user?
Organizations must ingrain security into every aspect of doing business. Education is key – the mindset has to change, not just the product. This requires a proactive approach versus a reactive one.

Being proactive means observing consumer behavior with much higher fidelity. Traditionally, analysis has tended to be rather superficial. To truly understand and know the user, you need to look deeper. This includes looking for signals you wouldn’t normally look for—how fast someone types, how hard they hit the keys, how a user interacts with a website, etc. —the types of signals that are often ignored.

These signals, taken together, create a unique, behavior-based user profile that is far more detailed and reliable than standards like passwords and usernames. Knowing a consumer’s true behavior transcends reliance on static identities.

Devaluing the Data
How do behavior-based profiles devalue data? Bad actors can’t emulate behaviors with enough fidelity to truly take control of a user’s identity if the right signals are in place. The focus changes from the user’s username, password and perhaps location or secret question to his or her unique identifying behaviors. Deriving identification from measuring these behavioral indicators is so powerful because authenticators can’t be replicated.

That means by putting these authenticators together into unique user profiles, fraudulent actors can’t use the data they’ve stolen. It’s no longer merely an issue of plugging stolen data into a login screen and taking over an account or completing fraudulent transactions; fraudsters would have to exactly mimic every behavior in the profile – an impossible task.

So then, the personal data is rendered unusable. Why go to the trouble of stealing something you can’t use? The incentive for fraudsters to steal this kind of data is zero. In other words, the data has been devalued.

Remove the incentive
Criminals have been taking what isn’t theirs since time immemorial; that’s not ever going to change. They tend to take the path of least resistance as well and nab the loot that’s easiest to steal and offers the biggest pay-off. If you could change the scenario so that the loot is unusable and therefore worthless to them, why wouldn’t you?

This is exactly what behavior-based authentication does. It not only protects customer accounts and data, but it also reduces the likelihood of data breaches once word gets out that your data is unusable. Fraudsters will go elsewhere in search of low-hanging fruit while your customers continue to use your site with confidence.

About the author:

Robert Capps is the vice president of Business Development for NuData Security. He is a recognized technologist, thought leader and advisor with more than 20 years of experience in the design, management and protection of complex information systems – leveraging people, process and technology to counter cyber risks.