The same motivation that has for decades convinced cat burglars to sneak in through open windows and pilfer jewels from the dresser drawers of their sleeping victims moves cybercriminals to slither around in cyberspace to steal data: It's valuable. And easy to get to.
Just as businesses measure the costs associated with protecting their information, cybercriminals are also weighing the costs associated with stealing it. For both, low effort, low risk and high yield win the day. To flip that equation and thwart bad actors, organizations should consider increasing the costs to steal data and even devaluing the data itself.
Igor Baikalov, chief scientist at Securonix, says cybercriminals consider the same three basic factors that common crooks consider: the cost of breaking in, the value of the assets targeted and the risk of getting caught.
Certain cyber defenses – such as tokenization, third-party encryption, data obfuscation and multifactor authentication –not only protect data, but also can be used to chip away at data's worth, making it less desirable to a cybercriminal.
Firms could devalue their data by separating the data they store from both the financial gains and the competitive advantage that threat actors most often seek, says Baikalov.
Baikalov said, for example, if a user's personal information is needed to open or access an account, companies should ensure that more stringent controls are in place that would be harder for an attacker to circumvent.
Adding multiple layers of defense increases the effort an attacker would have to exhaust on a target, subsequently deterring threat actors, he says.
When organizations use tokenization and third-party encryption, stolen data is of little value to a cybercriminal outside of the organization since they cannot convert the token back to the original translation, explains David Burg, a cybersecurity leader at PwC. Third-party encryption, he says, secures sensitive data with encryption keys that can only be unlocked by decryption keys which are not stored in the company's network.
“This technique of ‘separating the lock from the key' makes decryption of the data more challenging and, as a result, makes the data less valuable to a cybercriminal,” Burg says.
Obfuscation, hiding original data within random characters or faulty information is another tool that firms could use to “increase the friction” of an attacker trying to break in, ultimately making the data less desirable, says Craig Spiezle, executive director of the Online Trust Alliance (OTA).
Other experts agree. Luther Martin, distinguished security technologist at Hewlett Packard Enterprise (HPE), says organizations can protect their data by removing only a portion of the valuable information. “This is typically seen in the health care industry, where data needs to be anonymized, but enough information has to still be present to allow its use in things like epidemiology, as well as other important secondary uses,” Martin says.