The same motivation that has for decades convinced cat burglars to sneak in through open windows and pilfer jewels from the dresser drawers of their sleeping victims moves cybercriminals to slither around in cyberspace to steal data: It's valuable. And easy to get to.
Just as businesses measure the costs associated with protecting their information, cybercriminals are also weighing the costs associated with stealing it. For both, low effort, low risk and high yield win the day. To flip that equation and thwart bad actors, organizations should consider increasing the costs to steal data and even devaluing the data itself.
Igor Baikalov, chief scientist at Securonix, says cybercriminals consider the same three basic factors that common crooks consider: the cost of breaking in, the value of the assets targeted and the risk of getting caught.
Certain cyber defenses – such as tokenization, third-party encryption, data obfuscation and multifactor authentication –not only protect data, but also can be used to chip away at data's worth, making it less desirable to a cybercriminal.
Firms could devalue their data by separating the data they store from both the financial gains and the competitive advantage that threat actors most often seek, says Baikalov.
Baikalov said, for example, if a user's personal information is needed to open or access an account, companies should ensure that more stringent controls are in place that would be harder for an attacker to circumvent.
Adding multiple layers of defense increases the effort an attacker would have to exhaust on a target, subsequently deterring threat actors, he says.
When organizations use tokenization and third-party encryption, stolen data is of little value to a cybercriminal outside of the organization since they cannot convert the token back to the original translation, explains David Burg, a cybersecurity leader at PwC. Third-party encryption, he says, secures sensitive data with encryption keys that can only be unlocked by decryption keys which are not stored in the company's network.
“This technique of ‘separating the lock from the key' makes decryption of the data more challenging and, as a result, makes the data less valuable to a cybercriminal,” Burg says.
Obfuscation, hiding original data within random characters or faulty information is another tool that firms could use to “increase the friction” of an attacker trying to break in, ultimately making the data less desirable, says Craig Spiezle, executive director of the Online Trust Alliance (OTA).
Other experts agree. Luther Martin, distinguished security technologist at Hewlett Packard Enterprise (HPE), says organizations can protect their data by removing only a portion of the valuable information. “This is typically seen in the health care industry, where data needs to be anonymized, but enough information has to still be present to allow its use in things like epidemiology, as well as other important secondary uses,” Martin says.
Many cybersecurity pros recommend employing behavior analytics as an authentication method that can increase the cost of stealing info by creating more obstacles for cybercriminals to duplicate.
Organizations should look for ways to make their data that can be stolen useless without additional context and information, says Robert Capps, VP of business development at Nudata.
“Effectively, observing subtle signals generated by consumer interaction with the digital world around them allows you to identify the actual human behind the device, versus the current status quo of verifying static identifiers,” Capps says.
Behavior analytics also has the benefit of being invisible to the end-user – and to the fraudster trying to circumvent such protections, he explains. “While encryption and multifactor authentication have their place in user authentication, they aren't generally user-friendly and they present significant friction to legitimate transactions.”
Researchers also agree that organizations can benefit from understanding what goes into a cybercriminal's cost analysis for stealing data and then doing what they can to increase those costs.
Organizations have a way to go before cybersecurity pros can bring the risk of getting caught in line with the damage that cybercrime inflicts, Baikalov (left) says. “The attribution challenges have to be tackled hand in hand with issues of inter-jurisdictional prosecution and adequacy of the retribution,” he explains.
Offensive countermeasures are starting to gain traction in the cybersecurity community although currently the measures often aren't enough for cybercriminals to consider them a threat. “Once we make sufficient progress in attribution to minimize potential collateral damage, it will become a serious consideration, especially for the nation-state actors,” Baikalov says.
Aside from understanding how a cybercriminal evaluates costs, it is also important that organizations that store data understand the types of cost analysis cybercriminals make before stealing data.
HPE's Martin says there are roughly two classes of successful cyberattacks: Those that take advantage of low-hanging fruit within weak security protocols, and those that are carefully planned after criminals spend a significant amount of time searching for vulnerabilities.
He says employing cybersecurity measures that “catch them as they subvert a network may be the best way to deal with that level of threat.”
To help combat these types of attacks, organizations should use multiple layers of defense to not only prevent intrusions but also detect breaches early, experts agree. Spiezle explains that cybercriminals attribute value to the amount of time they can use information before the discovery of the incident. The longer they can use the data undetected the better, so organizations should put in place early detection measures that limit how long data is usable to criminals, Spiezle says.
Once an organization has implemented measures to make its data less appealing – either through devaluing the data itself or by increasing the costs to obtain it – researchers recommend strengthening staff to ensure social engineering attacks don't lead to compromises.
Burg says organizations should train customer service reps to report social engineering attacks. Hei sees organizations moving away from presentation-based training to real-world drills. In addition, Burg says companies should use threat intelligence measures whenever possible to inform them when criminals may be focusing on their organizations and what attacks they may use.
System security is only as strong as its weakest link, he says. “If the system uses an untested home-grown authentication protocol, it may present exploitable vulnerabilities to a cybercriminal,” Burg says. “Similarly, if an industry accepted authentication protocol is used on a vulnerable application, that login screen may be bypassed altogether. As a result, a defense-in-depth strategy is critical for protecting an environment against cybercriminals.”