Taking Data Protection Seriously

The Sony hack revealed how powerful enterprises can fall victim to cyber attacks. To defend against potential data theft and safeguard reputation, brands must uncover the vulnerabilities in their organizations to stop hackers in their tracks.
Customer Experience

Data breaches and information security have always been top priorities for brands across industries, but recent media coverage has brought such matters to the center of national consciousness. Yet, while more consumers are increasingly aware of the threats such dangers pose to their personal well being, few know that said events may be in steady decline.

According to one recent IBM study, researchers tracked the number of cyber attacks and data breaches during the busiest shopping days (Nov. 24-Dec. 5) of the holiday season. For 2014, the number of daily cyber attacks dropped to 3,043, nearly one-third less than the 4,200 attacks during the same timeframe in 2013, while the number of breaches dropped more than 50 percent for Black Friday and Cyber Monday year-over-year. In 2013, more than 20 breaches compromised nearly four million consumers' information, while 2014 saw only 10 breaches and 72,000 records compromised.

Brands, however, must not disregard media coverage as mere hype, for this attention hasn't blown such matters out of proportion. Instead, this increased exposure has sparked greater awareness, encouraging companies to take data protection and privacy seriously. Matt Lautz, president of CorvisaCloud, notes that many businesses fail to take extra precautions until an attack hits their specific industry. But, as the media continues to publicize every major breach, brands are shifting from the "it won't happen to me" mentality by taking action, for they recognize that, while their company needs to win against hackers every time, the hackers only need to win once.

Though companies and consumers are still talking about the Target and Home Depot data breaches, the recent Sony hack will likely have the greatest lasting impact. While these popular retailers were hacked to gain access to consumers' financial and credit card information, the Sony hack revealed the private emails of executives and producers, impacting everyone from behind-the-scenes employees to Hollywood's A-list stars. Companies now recognize that such breaches aren't limited to financial data, but personal, private information, as well. Thus, this historic hack may just be the wake-up call every company needed.

"Companies that care about data protection, privacy, their customers, and their corporate reputation have little choice but to holistically monitor the broadest possible array of online channels for threats that impact their brands, customers, and bottom lines," says Greg Mancusi-Ungaro, CMO of BrandProtect.

However, while most businesses recognize the threat such hacks pose, many are unsure of the behaviors that underscore said events. "Think like someone who wants to attack your network," says Orlando Scott-Cowley, security expert and director of technology marketing for Mimecast. "Think about how they would roam around your network-usually unprotected-and think of ways to slow them down. Only when you start to look at your data from the point of view of an attacker will you realize how vulnerable it is."

By getting inside the mind of the average hacker, companies can begin to familiarize themselves with the most vulnerable elements of their organization. While many breaches are the result of human error, the contact center remains the weakest, most susceptible link, for fraudsters can bypass security questions to gain access to sensitive information and account functionalities. Mark Lazar, global vice president, fraud and identity solutions for Verint, outlines how hackers operate after stealing credit card and identity data, noting that fraudsters cannot immediately access accounts through well-protected online channels.

"Instead, fraudsters contact the call center to access and hijack accounts," Lazar stresses. "They can often beat security questions in the call center if armed with stolen card and personal data, information from public social networks, and social engineering skills."

Using said personal (yet publicly accessible) information, fraudsters can contact financial institutions and successfully 'prove' their identity so they may request a replacement card or increase the account credit limit in order to maximize their potential. Luckily, however, as technology continues to advance, many of these leading financial brands have begun implementing voice biometrics, which allows organizations to create uniquely identifiable 'voiceprints' for future reference. While such methods allow companies to develop profiles for every customer's individual vocal characteristics, this technology also enables brands to detect repeat calls from professional fraudsters in order to prevent an outright breach.

Data brokers, on the other hand, operate silently and legally-technically. During one recent 60 Minutes segment, reporters explored the secret world of data brokers and how these professionals collect and sell customer clickstream information. Data brokers form ad networks that follow consumers online, tracking their movements and cataloging their interests to create personalized profiles (featuring individually identifiable information) that they can then sell to third parties. Retailers have been partnering with data brokers at alarming rates, for they recognize their vast supply of consumer data can serve as a secondary source of income. In many cases, this information proves to be even more profitable than the product or service they offer. Thus, brands allow data brokers to follow consumers around the Web so both parties stand to gain from this wealth of data.

Watch the segment in its entirety (below) to explore exactly what goes on behind the scenes and exactly how much data these companies may have access to:

To defend against potential data theft and safeguard brand reputation, brands must begin adopting basic safety measures if they haven't already. Unfortunately, as Scott-Cowley highlights, many IT teams are hunting for ways to fix legacy systems that were built at a time when security concerns weren't an issue. Retrofitting said systems often proves challenging and costly. Therefore, brands must tackle the following steps to put themselves on the path to safety:

  1. Introduce new technologies that search for and detect anomalies and spikes in activity patterns to remain aware of unusual, suspicious changes in customer behavior.
  2. Continuously educate your employees so they understand the severity of these threats, how to detect foul play, and ways to use new technologies to their advantage.
  3. Retain less data by resisting the need to collect and save every bit of customer information. Only store crucial data in order to minimize the severity of any hypothetical attacks.
  4. Engage outside consultants to conduct penetration tests. These professionals will detect gaps in the business and reveal vulnerabilities that may make the brand prone to future breaches.

Many are also beginning to embrace European policies, for these foreign measures put great emphasis on protecting consumer privacy. There, consumers have the "right to be forgotten" and businesses can no longer store their personal data. These stringent policies are far from wide adoption in the U.S., as many of this country's biggest tech giants fail to adhere to global policies. But, as Europe's data protection rules become the default privacy settings around the world, according to one recent New York Times article, the U.S. will soon have no choice by to comply with stricter protection standards. Just last week, President Obama outlined his plans for The Personal Data Notification and Protection Act during his annual State of the Union address. The legislation will improve safeguards, strengthening the obligations companies have to notify and protect consumer data in the case of an attack or breach. Though only the first step toward stricter domestic data policies, this move signifies the severity of such threats and the need to thwart said dangers before anything gets out of hand.

Ultimately, with safety at stake, companies must ensure that they have everyone's best interest at heart. Every individual could potentially be the victim of some hacker's next major attack, so brands must care for their customers as they would care for themselves.