Stolen data's a hot potato that gets quickly passed around
In the digital economy, data has become the most valuable asset for any organization, with 97% of businesses using data to power their business opportunities and 76% of businesses using data as an integral part of forming a business strategy.
This strategic asset needs state-of-the-art protection and procedures for every employee, from the lowest rank up to the CEO. The implications of data breaches, exposures, and misconfigurations are now leading to severe ramifications. Companies not only have to protect themselves from outside threats, but also insider threats and technological oversights that have resulted in some of the biggest data breaches and exposures in 2019, including at Marriott, Tesla, and SunTrust.
Orvis, a sporting goods store located in Vermont, recently exposed internal passwords and credentials on Pastebin. This exposure of internal passwords and credentials opens the door to other threats as this type of data allows cybercriminals to roam free in a network, access other sensitive data, or take over existing accounts that can harm the company as well as the customers. Data exposures have far-reaching implications even long after the information has been revealed on the web.This company is by no means alone as every industry from financial, health care, gaming, hospitality, and more are facing waves of attacks. Every online company encounters the same dilemma, even Disney’s newest streaming service. Almost as soon as the Disney service became available, it was hacked by cybercriminals getting away with account data and selling it on the dark web. In fact, in the first nine months of 2019, there were 5,183 data breaches exposing 7.9 billion records. So, whether data leaks come from internal mistakes and exposures or from direct hacking, the outcome is the same – data is exposed, and cybercriminals are using it for fraud today, next year or several years from now.
Through step-ups such as one-time passwords, two-factor authentication, security tokens, and physical biometrics, companies are finding alternatives to avoid relying on a password or other personally identifiable data that could have been stolen. However, these step-ups also affect good users who just want to "click and play" and expect a seamless experience.
Additional step-ups are useful to make bad actors’ account takeover attempts more difficult. Still, companies can go one step further and trigger additional friction only when there is risk, avoiding friction on trusted users. To do this, companies need a security layer in their system that can provide the intelligence from each session to help decide what sessions are trusted and which ones are risky.
This allows companies to secure accounts without relying on user credentials and, at the same time, remove unnecessary friction, both inside and outside of an organization. Passive biometrics and behavioral analytics, for example, are technologies that help evaluate risk in a session without relying on credentials. If the behavior of the user is suspicious, it can trigger a request for a one-time password or a fingerprint scan, for example. A multi-layered approach to user verification that doesn’t rely on credentials makes stolen data valueless.
Leveraging characteristics from individuals’ online behavior like how they press the keys while typing or how fast they browse from page to page, combined with other information such as device intelligence or behavioral data, builds a unique online profile of a user. This integrated approach, with multiple layers acting together to assess the risk before triggering a step-up, is a way for organizations to prevent the account takeover damage after the data has been exposed during a breach.
The Orvis breach is just a reminder that breaches are not a matter of if but when, and companies have to be ready to provide their account holders the same level of security, even if their credentials have been stolen.