Cybersecurity Trends Magazine | Which Came First: Security or Theft?

This article was previously published in Cybersecurity Trends, authored by David Schoenberger, Eclypses Chief Innovation Officer

In the cybersecurity world, security experts and cryptographers have generally responded to a malicious hacker after a bad event has occurred. It has proven to be very difficult to anticipate what data thieves will use to steal in the future. Technology improves rapidly and so does the creative, yet criminal methods used for breaching systems, applications, and devices. What can be predicted is that thieves will always want what is not theirs and will do anything to steal. Possession of data is their goal—to steal and use data for nefarious purposes.

So really it isn’t a question of IF a malicious hacker will try to steal your data—it isn’t even WHEN they will try to steal your data. The question all organizations must accept is HOW will they try to steal the data.  Asking this question allows organizations to take a proactive approach instead of the usual reactive approach. More than being proactive, organizations must understand the key to all breaches and hacks is the actual data.

To compound the dilemma of understanding how to take a proactive approach to address these breaches and hacks, organizations are now faced with fraud perpetrated by cyber criminals targeting the external customer on their mobile devices. The COVID-19 era has ushered in the use of millions of mobile applications to manage and perform almost every aspect of daily life. This opens the door to tremendous fraud opportunities for the cyber-criminal to infiltrate organizations using their customer as the trojan horse. According to a 2021 study by Interceptd, over 21% of iOS mobile apps and over 27% of Android mobile app installs are fraudulent. That means people are downloading apps that they believe are legitimate and safe, but they are actually inviting the cyber-criminal into their device. It has become abundantly clear that if organizations cannot control their clients’ device environment, they can’t control the consumer behavior online. Futureproofing the client experience has taken on new meaning.

It is important to make another distinction while futureproofing your security plan, which is that keeping hackers away from data is not the same as protecting the data by making it unusable. Instead, it is important to implement both strategies, as both need to be part of a solid futureproofing plan. Keeping malicious hackers away include strategies like antivirus, malware protection, firewalls, threat detection, app shielding, code obfuscation, multi-factor authentication, and others. Even best practices such as redundant and geo-dispersed data centers are critical, but still only fall into the category of “keep out.”

Making the data unusable is a different beast all together and some common practices to protect data include encryption, tokenization, data masking, and other emerging solutions like MTE. The main goal of these solutions is to make this transformed data unusable and undiscernible when stolen, regardless of how it was stolen. If a hacker can’t use the data or discern the data, then there can be no threat.

Here are three considerations to futureproof your data and make it impossible for a hacker to use:

  1. Spend time identifying what data (when stolen) would ruin your organization or compromise the humans you are providing services to. Whether it’s government or a corporation, a breach ends up being a human cost and not all data in all systems would lead to a human cost. A very basic example is that the data representing the size of the latest pair of jeans you order is much less critical to protect than the payment details and delivery address. In the medical field, if a company collets Name, Date of Birth, Room Number, Treatment Physician, Procedure—and protects Name, DOB, Room Number—then it becomes less valuable to a hacker if they end up stealing the physician’s name and the procedure done. These are just basic examples to show that not all data needs protecting when the right data is protected. This is critical when in most cases the very data you are trying to protect is the data that you need available to your applications in real time. Hackers understand this conundrum and take advantage by stealing data the moment it becomes usable and moveable from encrypted storage or at data creation.  The best advice is to take the time to identify the data that needs to be protected and focus there.
  2. Determine what applications are most vulnerable to hackers. Many organizations that have been hacked recently or that respond to various research-based surveys, have an overwhelming conclusion that mobile and web-based applications are most vulnerable. This is directly tied to the human experience and is based on how humans demand to interact with corporations. Mobile devices are instantly accessible and always connected. They are the expected main way that customers interact with most corporations and services, and mobile applications are really just web-connected applications that do very similar things to web applications. Because the human has installed countless other applications on their devices, it is almost impossible to know if malicious applications are also running on the device and it is expected that hackers are watching Wi-Fi connections and looking for ways to exploit these applications. Applications both produce and interact with sensitive data—desirable by thieves and hackers.
  3. Don’t expect to reinvent the wheel! Developers often are primarily concerned with business outcomes and supporting the user experience and do not devote their sole purpose to the security of data. Therefore, in addition to developers using security best practices and standards, it is recommended to carefully select technology partners and toolkits that can supply security protocols without trying to reinvent what an entire engineering team has dedicated their focus to. Let your developers focus on what the human expects and let security technologists solve the hacker problem!

It’s critical to spend time on futureproofing your data to make it impossible for hackers to gain access. Every cybersecurity strategy needs a strong foundation for protecting the data. Find a data security solution that no matter what happens – your data remains secure.

David Schoenberger is the Chief Innovation Officer of Eclypses with over 20 years of experience researching and developing disruptive technology for financial and data security companies. Prior to his work at Eclypses, David worked as a leader and researcher at multiple fintech and cloud storage companies. He brings extensive technology and leadership experience to Eclypses as one of the creators of the patented MTE technology. As the Chief Innovation Officer, David works closely with the executive, technology, and marketing teams to execute and improve Eclypses strategy and technology. He also acts as a spokesperson for Eclypses, attending webinars and conferences to educate people on cybersecurity and risks.