2018 has been a tumultuous year for data breaches. Marriott’s data breach affecting 500 million Starwood guests, illustrates the point. Hackers are evolving at a rapid pace and businesses need to begin adapting cyber defences to mitigate risk.
Thanks to a barrage of advertising by LifeLock and Experian, most consumers are painfully aware of identity theft. Unfortunately, for businesses, the list of cyber threats is long, varied, and ultimately isn’t going away in the foreseeable future. With that somber prelude, here are seven threats to cyber defences business owners and their cybersecurity teams need to pay attention to in 2019:
1. The Daily Data Breach. Let’s face it, we don’t even raise an eyebrow anymore when we hear that another business has been breached. Your initial thought may be “I’m glad I’m not on the management or security team for that organisation.” But, those breaches impact your business too. All those breached records end up on the dark web, where other cyber-baddies use that information to assume new identities that can unleash fraud on your organisation. A recent report published by cybersecurity firm Shape Security showed that 80 to 90% of the people that log into a retailer’s e-commerce site are hackers using stolen data.
Data breaches compromised 4.5 billion records in the first half of 2018
2. Insider Attack. Enterprise security teams usually underestimate the risk to cyber defences that an insider poses to the organisation. According to The Ponemon Institute, the average cost of insider threats per year is more than $8 million. High-profile insider attacks such the attacks at Tesla and Coca-Cola are on the rise. Nuance was hit by an insider attack where the patient records of 45,000 individuals were leaked by an insider.
5 steps to protect your business from insider data theft
3. The Manufactured Identity. Synthetic fraud is on the rise and it’s particularly difficult to detect and defend against. It usually starts when the fraudster secures an unused Social Security number — typically that of a minor — and then goes about creating a fictitious identity using various pieces of real and fabricated information, such as a name, birthdate and an address controlled by the thief. The cyber thief can go through a series of steps and tactics (such as “piggybacking” or credit boosting) that can sometimes take months, but end up creating a highly credible manufactured identity that can wreak all kinds of havoc with cyber defences when used to create bank accounts or defraud e-commerce sites.
4. The 97 per cent. Only about 3% of malware tries to exploit an exclusively technical flaw with cyber defences. The other 97 per cent targets users through social engineering. Social engineering is a method of deceiving people into giving you their information or exploiting their weakness, or laziness, to find that information. It is believed to be the most frequently used method to get into a corporation’s network these days. Train your people to understand and recognise social engineering attacks. You can even hire companies to launch a mock phishing attack and see who clicks on the naughty links.
Phishing attacks — can AI help people provide a fix?
5. The Increased Risk of Two-Factor Authentication. The viability of SMS-based two-factor authentication (where a 4- or 6-digit code is sent to your smartphone to help authenticate your identity and grant access to your account) is increasingly being challenged. Firstly, hackers can intercept the SMS messages through malware placed on your smartphone and initiate man-in-the-middle attacks. The technology is also susceptible to SIM swap attacks that enable fraudsters who have access to one other personal piece of information — like your Social Security number — to call your carrier and move your number to a new SIM card. Adding more risky fuel to 2FA’s fire is a recent, massive hack of Voxox’s database containing tens of millions of text messages, including password reset links, two-factor codes, shipping notifications and more.
6. The Death of KBA. What street did you grow up on? What’s your mother’s maiden name? If you’ve ever been asked one of these questions while logging into a website or resetting a password, you’ve been subject to a form of knowledge-based authentication (KBA). KBA is still (inexplicably) one of the most common means of identity verification. Unfortunately, thanks to large scale data breaches and the dark web, most of the answers to those supposed secret questions are now known by fraudsters, making it easy to sidestep this type of authentication — rendering it useless.
7. The Continued Phishing Threat. More than 90 percent of malware is delivered via email so it’s no surprise that email continues to be criminals’ go-to method for distributing malware. According to the most recent statistics from the FBI’s Internet Crime Complaint Center, the most costly form of cybercrime stems from a complex type of fraud known as the “Business Email Compromise” or BEC scam. A typical BEC scam involves phony emails in which the attacker spoofs a message from an executive at a company or a real estate escrow firm and tricks someone into wiring funds to the fraudsters.
Phishing attacks — can AI help people provide a fix?
Despite all these threats, it’s not all doom and gloom. Artificial intelligence is increasingly being used to spot and neutralize some of these emerging threats to consumers’ digital identities. In fact, 30 percent of enterprises with more than 5,000 employees are currently using AI-powered security solutions and this number is expected to grow to more than 60% by 2020. As AI becomes more advanced, large enterprises have begun to use AI-powered security and identity verification solutions to help protect their business from today’s growing cyber threats.
Written by Labhesh Patel, is CTO & Chief Scientist at Jumio