As the famous saying goes, “the definition of insanity is doing something over and over again and expecting a different result” – a statement which can today be applied to how we’ve come to deal with data breaches over the past decade. Despite our efforts to invent new ways to secure our networks, data breaches are more prevalent than ever and their numbers are rising. In October 2016, the Identity Theft Resource Center reported a 16% increase in data breaches since October 2015, with 169,000,000 records exposed last year alone.
So why are data breach numbers rising?
A number of factors are to blame. Firstly, the digitization of people’s daily lives means that there’s simply more data out there today for people to steal. Our personal information is increasingly stored in a multitude of sources, across a multitude of networks. From social details (i.e. birthday, workplace, marital status etc.) to financial data and medical data – everything is stored somewhere now.
As we entrust this information to the internet, it becomes an HVT (High Value Target) for criminals and hackers. And as the data shared becomes increasingly sensitive in nature, data breaches equally become more sophisticated. The ecosystem in which hackers operate is richer and bigger, and data is much more valuable.
Secondly, there’s the issue of security – specifically, users’ attitudes towards privacy and security. Most of us use the internet – whether on our desktop PC, laptop, and increasingly our mobile device – to share personal or sensitive data every day. Often, we use the same, interchangeable passwords for different apps and services, from social media accounts and online shopping to our email, believing ourselves to be free of risk due to the lack of personal information exchanged on these applications.
But the reality is a more complex. Hackers today use information from social media sites or emails to work out more about a user – for example, their geographical location. From there, they can then determine more which bank they might potentially use.
Using these assumptions and informed guesswork, hackers can then conduct an automated scripting attack using the login details (which are likely to be similar, if not the same) to hack into a user’s bank account.
The weakness here is human nature – in particular, human laziness. Today, we have too many accounts and therefore too many passwords to remember. As such, we’d much rather have one or two for several accounts, to ensure we don’t forget them and have to continually reset our passwords.
For criminals and hackers, it’s easy to assume that a user’s login details on an email account are likely to be similar to their online banking details. While this isn’t the case for everyone, for hackers it’s simply a case of probability and luck – even if only 0.1% of 500 million accounts are successfully hacked into, that’s still 500,000 accounts compromised.
From this it’s clear to see that passwords and usernames do little, if anything, to properly prevent data breaches. Once a username or password is compromised, the entire security of the ecosystem is impacted. What’s the answer?
Preventing such breaches is a multi-layered problem that requires a multi-layered approach. Information must be accessible only to users with authorized access, and this access must be granted in a highly secure environment. Only robust identity proofing and augmenting login access with multi-factor authentication can deliver this kind of in-depth.
Multi-factor authentication – or strong authentication as it’s also known – is a simple concept, yet when properly applied can make all the difference in delivering the security needed to reduce the threat of security breaches. It works by combining something you know (i.e. a password or PIN) with either something you own (i.e. a mobile device or even your fingerprint) or something you do, such as accessing a particular Wi-Fi network. In essence, this works in a similar way to our ATM card; we take something we have – the card – and use it in combination with something we know – our PIN – before we are authorized to make a transaction.
What’s more, multi-factor authentication is effective as a defense against attacks after they happen. In the event that hackers gain access to a user’s login details for their online banking, if the bank requires multi-factor authentication to complete verification to access the data, the hackers will not be able to access the necessary account information.
Ultimately, no organization can protect itself fully against malicious attack and it’s inevitable that many will experience a data breach at some point or another. Organizations must therefore plan for a security failure to ensure they’re sufficiently prepared for it, if and when it comes. There’s no time like the present to bear in mind that a strong, multi-factor authentication process is essential to maintaining a robust and secure IT network.