While cyber security took a pummelling in the year 2020, with the volume of data lost in breaches, this year is shaping up to be another record-breaking year of cyber threats and data breaches.
Recently, Singapore Airlines announced that data of their 580,000 frequent flyer members have been compromised in an attack on air transport information technology company SITA.
Last month, the “Compilation of Many Breaches” (COMB) leaked online, containing more than 3.2 billion unique pairs of cleartext emails and passwords aggregating past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin and more. This compilation contains more than double the amount of unique email and password pairs than the Breach Compilation from 2017 in which 1.4 billion credentials were made available online.
With the jarring frequency of these attacks and the volumes of sensitive data they impact, it’s no surprise that organisations are on high alert to defend against all these threats. Given the rapidly evolving threat landscape and the uncertainty of the ongoing pandemic, it is important for companies to consider the business impact of a data breach and what concrete steps that need to be taken today for a business to consider itself truly resilient.
Hidden costs of a data breach
There are two areas that tend to be hardest hit in the event of a breach: financials and brand reputation.
To many, it will seem self-evident that the bottom line will take a hit with a breach. However, there are hidden costs that many overlook when laying out business continuity plans and data recovery schemes. Singapore’s Personal Data Protection (PDPA) recently updated guidelines to active enforcement include financial penalties if a company is found to have been non-compliant.
There are also costs associated with clean-up and recovery. This category of costs includes everything from legal fees should any affected individuals decide to take action in that arena to bringing in outside forensic security experts to assist in the post-mortem investigation.
A data breach can impart serious ramifications on the public's perception of the company. Maintaining customer loyalty is a tricky proposition in the best of circumstances and only gets trickier when private information is leaked.
According to the same Ponemon Institute study, nearly 1 in 3 customers who were involved in a data breach in the last year discontinued their relationship with the business involved.
Authentication is key to resilience
When a data breach occurs, the message is always the same: use unique passwords, change your passwords and use a password manager. However, reusing the same passwords is still a common practice.
There are two truths here that we need to accept: we’re never going to prevent all data breaches, and the password hygiene message isn’t getting through.
To build up the sort of business resilience needed to survive the worst-case scenario that is a data breach, businesses now need to force the issue to protect themselves and their customers.
Authentication is much more than an email and password combination. One Time Passcodes and biometric security are mainstays of multifactor authentication, but consumer-facing businesses have often avoided them. The fear is that they add friction to the customer journey.
Adaptive technologies are the solution. They’re designed to introduce friction only when necessary, without impacting the customer experience. These technologies can determine whether a customer is legit based on a series of clues that determine an overall risk score.
Logging in from London and five minutes later from Singapore? Red flag. Use a password that was stolen in a recent data breach? Red flag. These red flags make Adaptive Multi-Factor Authentication trigger an additional layer of security to verify your digital identity.
Should you find yourself staring at a security alert saying that you've been breached, these same tips can help guide your response and recovery:
- Develop a strong business continuity plan
- Assemble an executive disaster recovery team
- Test IT and business team readiness
- Craft a crisis communication plan
- Implement regular security testing procedures
- Roll out training programs for all staff
- Lockdown your perimeter, which includes a solid identity and access management (IAM) approach that does not introduce more friction to users
The relationship between business resilience and data breaches is a complex one with a lot of moving parts. Having resilient, flexible systems in place is crucial to being able to pivot when necessary in order to maintain your business trajectory, no matter the situation you encounter.
Richard Marr is General Manager, APAC at Auth0, an identity platform for development teams.