Data breaches aren’t going away. What’s also frustrating for those tasked with protecting data is that poor consumer habits regarding online security aren’t going away, either. Weak passwords shared across all online accounts continue, despite ever-growing threats.
While cybersecurity may seem like a losing battle at this point, there’s no choice but to press on. However, it requires a new way of looking at the problem. At the end of the day, it’s all about the data. As long as it’s valuable, it will be stolen. Efforts to devalue data will be the most impactful actions an organization can take to reduce the number, scope and impact of breaches. So how is this accomplished? Read on.
Once data has been stolen, it’s tainted forever. There’s no way to get it back or clean it up. In addition, cybercriminals have numerous ways to attack – and they keep finding more. It’s similar to physical crime or terrorism in that way. It’s not feasible to protect a soccer stadium, for example, against all possible attack vectors—from every entrance, from the sky, from underground—let alone means of attack that security teams haven’t thought of yet.
Attacks today can come from so many vectors that it’s hard to know where to look at any given moment; data security is a constant battle. The fact is that every time we get it wrong, something bad happens. Sometimes what happens is catastrophic to the organization, such that it is difficult or impossible to recover.
For millennia, security meant building a fort and filling it with warriors. That’s reactive security, and it won’t work in today’s digital environment. A proactive approach is needed, and that means observing consumer behavior with much higher fidelity. Traditionally, analysis has tended to be rather superficial. To truly understand and know the user, you need to look deeper.
This includes looking for signals you wouldn’t normally look for—how fast someone types, how hard they hit the keys, how a user interacts with a website, etc. —the types of signals that are often ignored. These signals, taken together, create a unique, behavior-based user profile that is far more detailed and reliable than standards like passwords and usernames. Knowing a consumer’s true behavior transcends reliance on static identities.
Making data worthless is the key to truly protecting it. Behavior-based profiles achieve this goal because bad actors can’t emulate behaviors with enough fidelity to truly take control of a user’s identity if the right signals are in place. The focus changes from the user’s username, password and perhaps location or secret question to his or her unique identifying behaviors. Deriving identification from measuring these behavioral indicators is so powerful because authenticators can’t be replicated.
So then, fraudulent actors can’t use the data they’ve stolen. It’s no longer merely an issue of plugging stolen data into a login screen and taking over an account or completing fraudulent transactions; fraudsters would have to exactly mimic every behavior in the profile – an impossible task. The personal data is thus rendered unusable. Why go to the trouble of stealing something you can’t use? The incentive for fraudsters to steal this kind of data is zero. In other words, the data has been devalued.
There’s always going to be a group of people ready to make a million bucks at someone else’s expense. They tend to take the path of least resistance as well and nab the loot that’s easiest to steal and offers the biggest pay-off. If you could change the scenario so that the loot is unusable and therefore worthless to them, why wouldn’t you?
By implementing behavioral authentication profiles, you can. This process contains a one-two punch to dissuade cyber criminals. First, it protects customer accounts from being taken over. Second, it protects your network from being breached once hackers learn that your data can’t be used for their nefarious purposes. Bad guys will find easier targets, and you and your customers will rest assured in the safety of doing business together.
Robert Capps is the vice president of Business Development for NuData Security.