In 2016, there were 1,093 data breaches in the United States, a record high and a 40% jump from 2015. This rapid increase should serve as an alarm for businesses to address this ever-persistent and growing security issue. But as businesses look to prevent data breaches from occurring—or, more realistically, plan how to manage them—there is a common misconception that continuously creating and implementing more cybersecurity solutions will stop these incidents. While this may sound counterintuitive, the reality is that there is only so much these solutions can do to stop attackers, especially those who are highly motivated, well-funded or both.
Instead of focusing solely on the immediate “crisis” of an incident—responding to, managing and resolving a data breach—businesses must spend more time proactively identifying how fraudsters are stealing and exploiting company data, and then look to reduce or shore up any vulnerabilities.
Once a breach occurs, it is safe to assume that fraud will ensue. This could be immediately after or days, months or even years down the line, such as with the compromise of 500 million Yahoo user accounts from a breach that took place in 2014 and only recently came to light. Companies need to be aware of the consumer data they possess that may be of interest to fraudsters and determine how to keep that data safe. By devoting equal energy to this portion of the data breach lifecycle, businesses can better address and protect consumers from the long-tail implications of a breach.
The good news is that there are three clear actions businesses can take to bolster fraud management and protect their customers:
1. Strengthen internal security practices.
While considered rudimentary, many companies struggle with the crucial task of protecting their own networks. In fact, a recent Ponemon study found that the majority of companies believe employees are the weakest link in their efforts to create a strong security posture, with more than half experiencing a security incident or data breach due to employee negligence.
Most likely the result of inadequate training, there is a clear knowledge gap that businesses must address by both educating their employees on data security and privacy practices and creating a culture of cybersecurity awareness. This includes making sure training involves emerging security risks and is mandatory for all employees, providing incentives to employees for proactively protecting sensitive information or reporting issues, and having clear consequences for negligent behavior (a third of companies do not have clear consequences for employees responsible for causing a breach).
Failing to devote time and resources to security awareness only creates more vulnerabilities as employees—through no fault of their own—are left ill-equipped to protect their company’s confidential data. This rings true for all departments and levels of employees, from IT teams responsible for upgrading security patches and anti-virus software on operational systems to human resources departments tasked with safekeeping valuable employee information, and everyone in between.
Every employee plays a role in security, both in carrying out individual tasks responsibly and spotting and reporting potential issues. By taking a proactive approach and reevaluating internal practices, companies can reduce the overall risk of an attack.
2. Invest in services to track fraudsters’ activity.
In addition to zeroing in on internal employees, businesses must pay attention to the actions of the fraudsters themselves.
If a company has been breached, it is likely that any information stolen will appear on the dark web before the attack has even been detected. Mining this data can be instrumental in preventing future attacks and even attacks in progress, as it gives companies the ability to identify compromised assets or information, scan for data leakages, and stop the sale of said data or a specific vulnerability. Additionally, regularly tracking criminal activity and open discussions on the dark web can help detect specific fraudster patterns—including new methods of attack and common points of entry—and facilitates the early involvement of law enforcement.
Fortunately, the industry has substantially increased its abilities around dark web tracking, research and collection of information. Only 15% of businesses, however, are actually taking advantage. By devoting more resources to this research and tracking underground activity, organizations have the opportunity to minimize external threats, identify vulnerabilities in advance and proactively alert impacted individuals. Monitoring can be as simple as hiring a service provider to scan for fraudulent identity usage that may correlate to the organization’s consumers and employees.
3. Proactively provide fraud protection to customers.
Another important audience to consider in fraud management is customers.
There is a clear consensus that credit monitoring and/or identity theft protection products are the best defenses for consumers following a breach, and these should become ongoing services rather than just post-incident remedies. By offering these protections proactively, businesses can more accurately verify their customers on an ongoing basis, thereby identifying the associated risks of specific identities. Additionally, this would allow for cross-network sharing of identity information, allowing businesses to work together to flag breaches that may affect customers of multiple companies in order to better keep an eye on fraudulent activity.
Ultimately, proper resources exist to help companies implement safer security practices and keep preventable incidents from occurring. While taking advantage of them requires businesses to be hands-on, it is well worth the effort when you factor in the reputational and financial risks of a data breach and the long-tail impacts on those affected. By proactively educating employees, protecting consumers and tracking criminal activity, businesses can put a stop to opportunistic fraudsters.