As technology evolves, customers face an increasing number of identity threats. At the same time, legislation around the world now applies increasingly hefty fines when customer data is compromised. According to Experian, more than two in five consumers worldwide have experienced fraudulent activity online, and 55% of businesses globally have reported losses due to online fraud in the last 12 months. The World Economic Forum classes identity fraud and theft as one of the top five global risks for 2019.
Data Theft and Protection Legislation
In 2018, an upswing in data breaches affected many big-name companies. In most cases, these attacks garnered huge fines, along with a loss of both revenue and consumer confidence. At the same time, GDPR came into force in the EU, with strict data protection regulations backed by penalties reaching as high as 4% of global turnover (not 4% of profit).
Similar regulations have also come into force in other parts of the world. The UN now hosts an online map tracking global cybercrime and data protection legislation, and it makes for interesting reading.
The State of Security Today
To protect the public’s digital assets, unprecedented levels of surveillance are now commonplace. Advanced login and authentication procedures now include multi-factor authentication (MFA) and the public are far more aware of how to protect themselves online.
Biometric identification is seeing big growth. Biometric national identity documents are in use in many countries, and most smartphones have fingerprint and facial recognition options for login.
However, some of these login methods are less secure than one would hope. Companies that allow customers to log into mobile app accounts using device-based biometrics may need to consider additional safeguards.
5 Emerging Threats to Companies in 2019 and Beyond
Several threats have increased in 2019 or are have garnered the interest of security professionals. Here are a few:
1. Mobile device attacks and takeovers
With the increase in mobile device usage and applications, it’s natural that an increase in attacks will follow. Mobile phone account takeovers more than doubled last year. That’s why organizations need to prevent ID theft and fraud on their mobile platforms. Approximately 24,000 malicious mobile apps are blocked every day.
2. A rise in Synthetic Identity Fraud
Large datasets like the ones lost in recent high-profile breaches could be used to create semi-fictitious personages for use in synthetic identity fraud. This type of fraud can still rebound on your customers by tying details like their address to fraud, or by directly affecting your organization. To date, the largest synthetic ID ring detected caused banks to lose $200 million.
3. Increased internet of things (IoT) risks
IoT security will affect consumers more than ever in 2019, as smart devices continue to make their way into homes and workplaces. Many consumer IoT devices are inherently insecure, using default passwords, unencrypted connections, and more. While IoT devices may be vulnerable to a range of cyberattacks, the authentication landscape for IoT devices is rightly evolving, as well.
The sheer number of new attacks and vulnerabilities is growing rapidly year on year, with ransomware attacks growing 350% annually.
5. Credential Stuffing
Credential stuffing is also making the news lately. Credential stuffing has helped boost the marketplace for large databases of credentials on the dark web, by using databases of known credentials to attack multiple sites and services in brute force attacks.
Recent Data Breaches
The recent Capital One data breach compromised over 106 million records, including bank account details, 140,000 social security numbers, credit card applications, and 80,000 linked bank account details. A former employee at Amazon Web Services was recently arrested after trying to sell the stolen details online.
Capital One will likely face large compensation claims and fines due to the breach. The U.S. government is advising people to keep an eye on their credit reports. The breach follows a common pattern that’s emerged over the last couple of years – that of large-scale attacks designed to gather saleable data.
Terbium Labs listed several big-name attacks in its 2018 report. Global brands such as Marriott (500 million records) and Quora (100 million records) are some of the more notable examples from last year, and Facebook lost control of 30 million records in the same year.
Ultimately stolen data may end up in large silos with data from other sources. This is what happened with the “Collection 1” data breach. The data is thought to come from numerous corporate entities, and forms one of the biggest data breaches globally to date.
The Cost of Data Breaches
The cost of data breaches can largely be split into two categories:
- Costs to the consumer: loss due to fraud, lost time spent updating/upgrading passwords and security, increased consumer prices
- Costs to businesses: legislative fines, compensation payouts, loss of customers/earnings, and direct loss from fraud
Global cybercrime losses are estimated to reach $6 trillion annually by 2021, with the average loss per individual consumer reaching $141 per incident.
How do Data Breaches Affect Customers?
Aside from direct costs, data breaches have serious long-term effects on customer loyalty and stock market faith. A 2017 survey by the Ponemon Institute tells us that churn rates make a big difference to the overall cost of a data breach.
Churn rates of 1% or less cost on average $1.9m, where a 4% churn rate costing on average $5.1 million. Churn rates due to data breaches vary by country, with Japanese and Italian customers most likely to vote with their feet.
Other Costs of Data Breaches
Procrastination makes a big difference to losses incurred at every stage, from initial containment though to notification times. Taking more than 30 days to contain the breach adds an extra $1 million to a baseline cost of around $2.83 million.
Stock prices also suffer greatly following a data breach. With an average fall of 5%, stock prices are directly affected by how an organization deals with the crisis. Swift containment and prompt self-reporting help companies protect themselves from falling stock prices.
How Are Data Breaches Detected?
Common methods for detecting data breaches vary from ideal to disastrous. Shockingly, in 2017 the average “dwell time” (time taken to detect a data breach) was 101 days, ranging from 75.5 days in North America, through to 498 days in the Asia-Pacific region. The two signs that an incident might occur, precursors (evidence of a potential attack vector) and indicators (evidence of a possible attack), are difficult to spot.
Common indicators signifying an attack include:
- Unauthorized changes to firewalls or security software
- Unauthorized changes to access levels
- Unexpected software or processes
- Unexpected or unauthorized payments
- Repeated logins from unusual locations
- Contact details and password changed in close succession
- Repeated failed attempts to log in
Some other ways that data breaches are spotted:
- Alerts by partner organization (e.g. bank, card processor, order fulfilment provider)
- Alerts by an unhappy customer after fraudulent activity
- Data spotted for sale online
- Hacker brags online about breach
Preventing Data Breaches
Data breaches can happen to anyone, but here are some things you can do to protect your organization and customer data:
- Manage access and login controls effectively: A state-of-the-art CIAM solution can do this via multi-factor authentication, account activity monitoring, and passwordless login, which prevents attackers from exploiting a system.
- Keep software and security systems up to date: If your software is not kept to date with patches, hackers can exploit these vulnerabilities.
- Monitor firewalls and other security software constantly: Close monitoring protects you from unauthorized changes or access.
- Educate customers and other users: Educate users on password strength and spotting social engineering attacks.
- Maintain a good relationship with partner companies: Banks and card processing organizations might spot unusual activity on your accounts before you do.
- Follow best practices for data storage: Encrypt sensitive data, manage file access permissions, and don’t hold on to “stale” data longer than necessary.
Despite the emerging threat landscape, there’s plenty you can do to protect your customer’s data and prevent losses due to fraudulent activity. Make sure you take every step possible to avoid the steep financial losses that data breaches can incur.
About the Author:
Rakesh Soni is CEO of LoginRadius, a leading provider of cloud-based digital identity solutions. The LoginRadius Identity Platform serves over 3,000 businesses and secures one billion digital identities worldwide. LoginRadius has been named as an industry leader in the customer identity and access management space by Gartner, Forrester, KuppingerCole, and Computer Weekly. Connect with Soni on LinkedIn or Twitter.