In Data Security, It’s a Numbers Game
In its most recent Cyberthreat Defense Report, CyberEdge Group noted that more than half of business security and IT leaders (52 percent) believe a successful cyber-attack is likely in the coming year, up from 39 percent in 2013.
Given all the news around the high number of large-scale data breaches that befell companies such as The Home Depot, Staples, Anthem Health, and Neiman Marcus in 2014, it’s not surprising. It's also not surprising that many businesses feel helpless to defend against hackers, who, according to the report, managed to work their way into more than 70 percent of business data networks, up from 62 percent in 2013.
While the problem is pervasive, and protecting against it is indeed a challenge, there are a number of basic, low-cost steps that companies can take to secure consumer data.
Experts largely agree that a firewall—a network security system, either hardware- or software-based, that controls incoming and outgoing network traffic—should be the first line of defense against hackers and malicious software. Antivirus and antispyware software should make up the second line, scanning for and removing programs and code that can damage computers or compromise the valuable data they store.
The third line of defense should be multifactor authentication. Multifactor authentication is a security system that requires more than one method to verify a customer's identity before allowing him to log in to an account, access information, or perform some other transaction. The goal of multifactor authentication is to create a layered defense; if one factor is compromised, the hacker still has at least one more barrier to breach before breaking into the system.
Multifactor authentication can involve any combination of the following elements:
• knowledge factors, such as user names or IDs, passwords, PINs, and the answers to secret questions;
• possession factors—anything users must have in their possession, such as security tokens, one-time password tokens, key fobs, employee ID cards, or mobile phone SIM cards;
• inherence factors, also called biometric elements, such as retina scans, iris scans, fingerprints, vein patterns, facial recognition, voice recognition, and even hand and earlobe geometry;
• location factors—users' current locations, based on GPS tracking of their smartphones or automatic number identification (more commonly known as caller ID), or, in the case of Web traffic, their IP addresses;
• time factors, such as verification of employee IDs against work schedules (also, a bank customer can't physically use an ATM card in America and then in China 15 minutes later); and
• behavior factors, using analytics to understand users' unique behaviors and flag activities that fall outside of normal patterns.
Larry Ponemon, founder and chairman of the Ponemon Institute, a provider of independent research on privacy, data protection, and information security policy, calls multifactor authentication "absolutely critical" for a secure customer experience. Not having it "is a recipe for disaster."
"You need to authenticate on more than one platform," Ponemon adds. "Passwords and security questions alone are not secure enough. Personal information is just too readily available, and the answers to the standard questions can be found out too easily."
Thomas Loeser, a former federal cybercrime prosecutor who is now a partner at Seattle law firm Hagens Berman, agrees. "Multifactor authentication provides a huge advantage," he says. "It prevents someone from gaining access to sensitive information just because he has a user name and password, which hackers can easily get."
In 2014, 783 major data breaches in the United States potentially exposed hundreds of millions of customer records to hackers, according to information compiled by the Identity Theft Resource Center (ITRC). Many of them "could have been avoided with multifactor authentication," Loeser states without hesitation.
Leslie Ament, senior vice president and principal analyst at Hypatia Research, called multifactor authentication "a highly necessary component in protecting customers from fraud as well as for managing business risk."
Editor's Note: Part 1 of this series, which identified different types of enterprise security holes, appeared in the May issue of CRM magazine. Read it here.