Security is all about risk management. It’s possible for data to be completely secure: encrypt it, print it out, put it in a bank vault — the chances of anyone extracting useful information from it drops to almost zero. The problem with that approach is obvious: the data is secure but completely useless. Putting data in contexts where it can be used, especially by those who aren’t security conscious, often exposes that data to risks: storing it unencrypted on a thumb drive so you can take it home to work with is an obvious example. We have to walk the line between data usefulness, convenience, and risk mitigation and to do that we have to understand what data is at risk, which means we need insight into the motivations of online criminals.
The most obvious data at risk is that which provides direct financial advantage to criminals. Credit cards numbers fall firmly into that category. Credit card numbers confer a short-term advantage for hackers — they steal the numbers, spend until the cards are cancelled, and then they become useless.
But hackers are often interested in more long-term exploitation of data, particularly via identity theft. If you have the information required to reliably mimic someone’s identity, then you don’t necessarily have to steal highly protected data like credit cards — you have enough information to apply for credit cards on other people’s behalf!
According to Tsion Gonen, Gemalto’s vice president of strategy for identity and data protection,
“We’re clearly seeing a shift in the tactics of cybercriminals, with long-term identity theft becoming more of a goal than the immediacy of stealing a credit card number. Identity theft could lead to the opening of new fraudulent credit accounts, creating false identities for criminal enterprises, or a host of other serious crimes. As data breaches become more personal, we’re starting to see that the universe of risk exposure for the average person is expanding.”
Because identities themselves have become so lucrative to online criminals, the type of data that needs careful protection has expanded and the situations that put data at risk have to be more broadly construed within companies that deal with people’s data.
Companies have a responsibility to protect all data that might contribute to an identity theft attack on their customers. That includes everything from email addresses to utility bill details. Managing data risks in the modern world means keeping almost everything under wraps; it’s no longer enough to encrypt credit card data —everything should be locked up tight. Employees at every level of a company should be aware of the potential risks.
Furthermore, protecting data isn’t enough. Companies should have procedures in place to notify their customers of any potential data breaches. Sweeping it under the rug has never been an ethical response, and it seems that it may soon become an illegal response. The proposed Personal Data Notification and Protection Act would make it mandatory to inform customers of a data breach within 30 days.
Online criminals don’t just want our credit cards: they want to know everything about us so that in the digital world, they can become us. Companies that aren’t serious about data protection and risk management are putting both themselves and their customers at substantial risk. Protecting data may increase inconvenience to customers and cost companies money, but given the way that modern online crime works, it’s a price worth paying.