NBC News is among outlets covering the new 2018 End-of-Year Data Breach Report from the Identity Theft Resource Center, which discusses that hackers stole nearly half a billion personal records in 2018.
Experts Comments below:
Colin Bastable, CEO at Lucy Security:
“Third-parties are significant multipliers in the risks faced by consumers and businesses: the fewer moving parts we have between us and our data, the safer we are.
By making login more convenient for users, for example by using Facebook, Google or another intermediary, organizations are exposing consumers to significant, chronic risk.
By combining different accounts, such as by enabling hotel loyalty programs to access airline rewards accounts, users not only increase their risk profile significantly, they may be blind-sided: you reset your hotel account password, but you did not realize that your airline and car rental accounts may also be compromised. Many business cloud applications use APIs to integrate with corporate email and other systems – each connection multiplies our risks of loss from being hacked.
Using email addresses as usernames is to be avoided whenever possible. Organizations don’t do this to help consumers, but to reduce the support burden and lost business from forgotten usernames. Convenience is a double-edged sword – if it’s easy for you, it’s easier to attack you.
From an organizational perspective, the technologies already exist to protect data. We have encryption, tokenization, MFA, anti-malware software, firewalls and so on, but attacks keep succeeding at increasing rates. Therefore, we can conclude that cybersecurity technology is never going to solve this problem. In February 2020, reports will show that 2019 was another stellar growth year for hackers. Businesses, Consumers, Governments, Militaries, NGOs and Politicians will all be hacked this year as never before: your job is to make sure that you, your family and your organization are not one of them. If you don’t have to hold consumer data – don’t. Train your people relentlessly, and run “what-if?” scenarios for the 20% of them who will click on a phishing link. Test systems and people in a holistic model, and let someone else be the victim.”
Anthony James, Chief Strategy Officer at CipherCloud:
“Inside of your computers and networks, personal information should always be encrypted and protected. This should include all of your on-premise applications, SaaS-based applications, and custom IaaS-based applications. Zero Trust strategies necessarily take this to the boundary, that is to say, that encryption should protect the enterprise on-premise and to the edges of the extended enterprise within all of the clouds that you use.
Recognize that it is more common to find cyberthieves attacking APIs, middleware, and database-only encryption – these are the new skirmish lines for cyberattacks, especially within the cloud where you’re most vulnerable. Tools that automatically implement encryption and protect your data, such as data loss prevention (DLP) and digital rights management (DRM), help secure the extended enterprise. In the event that an important vendor doesn’t have the right data protection, you can wrap their applications with a cloud access security broker(CASB) to provide the necessary cloud security for your data.
Beyond the skirmish over encryption, credential access remains in the midst of a full pitched battle. Attackers will use one of many techniques such as account manipulation, bash history, brute force, credential dumping, registry- based credentials, forced authentication, hooking, input capture, kerberoasting, and keychain attacks and many more. While it’s possible to intercept 2FA logins generally, for most consumers and business, 2FA adds the layer of security that will protect your data. Find vendors that support 2-factor authentication (2FA) and single-sign-on (SSO) technology for both the applications you build and buy.”
