Cyberattacks are showing no signs of slowing down. From the beginning of this year to May 7, there have been 437 reported breaches exposing a total of 11,638,460 records, according to Identity Theft Resource Center. As breaches continue to make headlines every week, there is a growing concern with the lack of security many companies are displaying. For example, one of Canada’s largest cell networks, Freedom Mobile, didn’t even have a password protecting its server, leaving its data vulnerable, resulting in the exposure of five million customer accounts.
Recent research investigated formal responses to data breaches and found that nearly one-third of all company statements analyzed contained a variation of the phrase, “We take your privacy and security seriously.” A common phrase we’ve all seen surface after a data breach, but it raises the question, ‘just how seriously companies take their security to protect user privacy?’ The data breach mentioned above exposes the seriousness of leaving data vulnerable for anyone to access. The craziest thing is, the phenomenon of leaving valuable customer data on an unprotected server is actually very common. Even though a password is a very basic, baseline form of security, companies often don’t have one securing their data. There have been several related breaches stemming from data being stored on unprotected servers.
Is it neglected security or just plain ignorance?
By not properly protecting their attack surface, companies are leaving themselves open to breaches. No company wants to suffer a breach. From the financial cost to the reputation damage, the price is high. According to IBM’s 2018 Cost of a Data Breach Study by Ponemon, the global average cost of a data breach is $3.86 million. With elevated stakes, companies are still at risk and here are three driving factors as to why.
Lack of understanding their security landscape
Too often we see companies who, believe it or not, don’t even understand their own threat landscape and fail to recognize poor security posture and potential risks. Companies tend to overestimate their security well-being while underestimating their security risk, creating the perfect formula for cybercriminals to take advantage.
Underestimating the cyber criminals motives
In order to protect your data, it is important to get in the mind of cyber criminals and understand their motives. All cyberattacks are financially motivated. Companies fail to understand the value of their data and therefore have minimal defenses in place, which allows cyber criminals to bypass at little cost.
Selling records on the dark web
Account records and personally identifiable information (PII) are accumulating on the dark web, which has commercialized the sale of user credentials to include email addresses and passwords. Records being sold on the dark web can earn a cyber criminal anywhere from one dollar to $2000 per record, not a bad return. When a cybercriminal uploads their stolen records to the Dark Web, other criminals can then use that information to carry out further attacks. A common type of attack is referred to as account takeover, where cyber criminals can use automation, combined with stolen records exposed on the dark web, to carry out attacks at scale. The hackers will use records from previous breaches and the top 10 most common passwords to gain access to new accounts. Account takeover attacks are costing companies on average $4 million a year, from downtime to damaged reputation. Companies need to understand they are continuing to fuel the threat by leaving their attack surfaces unprotected.
Surely companies are not trying to leave the doors open for cyber criminals. Yet, that is exactly what is happening when companies leave their attack surface vulnerable with insufficient defenses. So, what are the necessary steps for companies to take to take back control of their attack surface?
- Remove the economic incentive: What’s the perfect formula for a cyber criminal? Minimal effort + large database = high reward. The companies who don’t make the hackers work for it are easy targets. In the digital age, companies are constantly gathering and storing data. The larger the database, the higher the payout for cyber criminals. To take away the economic incentive, companies need to make it more costly for attackers to breach their attack surface. Cyber criminals will move on to the next target once they realize it will require too much time and resources to attack, eliminating their prospective ROI. Bottom line, we sap their economic efficiency to and break their business models!
- Be proactive and reactive: Companies often live in a reactive world, where they are doing damage control, sending out “We take your privacy and security seriously” letters. Many only begin to investigate strengthening their security defenses after they have suffered a data breach. Rather than being a sitting duck, companies need to start taking a proactive approach to their security and put measures in place to safeguard their attack surfaces to prevent an attack from occurring in the first place.
- Don’t rely on one defense to protect against all threats: You did your research and have a security defense in place, you’re good now right? No, there is not a single solution out there that can prevent against every type of attack in a hacker’s tool box. Cyber criminals have a variety of methods to use, including account takeover, phishing, digital sweatshops, and single request attacks – the list goes on. Companies need to have an artillery of defenses to protect every angle and entry on their attack surface. Make sure the defense solutions you choose work together and cover your company at all access points.
- Choose the right defense for your needs: Before selecting a defense solution, make sure you do your research first. Don’t accept a post-deceit relief solution – or a solution that can only remediate abuse after the fact. This is counterproductive and provides the cyber criminal a window of opportunity to extract account details or place malware within the system. Cyber criminals are always evolving and inventing new methods to attack. Companies need to choose a solution that is agile and can quickly evolve with the changing threat landscape.
Neglected Security or Just Plain Ignorance?
It is a variation of both. Not only do companies not understand the problem, they don’t know what technology would work best for them. Ultimately, the lack of information is preventing companies from taking proper actions. Companies are still at risk because they have a lack of understanding of their security landscape, continue to add to the dark web and underestimate the cybercriminals motives. By removing the economic incentive, taking a proactive approach, using multiple defenses and choosing the right solutions, companies can begin to take back control of their attack surface.
About the Author:
Kevin Gosschalk is the CEO and Founder of Arkose Labs, where he leads a team of people focused on telling computers and humans apart on the Internet. He gained early recognition for his work with the Institute of Health and Biomedical Innovation (QUT) as part of the LANDMark (Longitudinal Assessment of Novel Ophthalmic Diabetic Markers) study, where he developed an innovative mapping technique to detect early signs of diabetes using non- invasive methods. Before Arkose Labs, Kevin worked on gaming hardware for the intellectually disabled at the Endeavour Foundation and built a unique device incorporating Microsoft’s Kinnect Camera technology. Noted for his involvement in interactive development and machine vision, Kevin then turned his expertise to automated abuse and human verification — often regarded as the Internet’s impossible problem. Today, Arkose Labs has transformed the irritating chore of comprehension into an SLA-guaranteed technology that prevents automated abuse for brands like Electronic Arts, Singapore Airlines, and Roblox.
