Data breaches affected more than one billion people in 2018, and that number is only set to increase as hackers continue to develop new and innovative ways of carrying out cyber theft.
As we near the first anniversary of its introduction, 2019 has already become the year in which the first serious GDPR-related fine was handed out. The £50 million penalty meted out to Google this month by French regulator CNIL is no doubt a sign of things to come.
As such, data – how it is stored, analysed and applied – will be a key theme for 2019, so understanding what is most valuable to criminals, and prioritising protection accordingly will only become more important. Key to prioritising which areas of your business you protect, is understanding how hackers monetise data.
- What is Data Privacy Day? Everything you need to know
1. Data heist
By stealing huge quantities of data, hackers can sell large packages of information very quickly to the highest bidder. Those who buy their cyber-loot will then unpick the package and use it in different ways, often alongside other stolen information, to build sophisticated frauds. But because thefts of large amounts of data at once are often quickly identified, the shelf-life of the stolen information is very short – often just a few days.
As well as making it as difficult as possible to steal information on this scale, businesses also need to raise the alarm quickly to stop that data being misused. This in turn limits the value of the heist, and businesses with a reputation for acting quickly become significantly less attractive targets.
2. Using data for complex fraud
The second common way of making money out of stolen information is by selling it on the black market. By stealing passwords and other security details, criminals can break unnoticed into other businesses’ systems and simply lie in wait for someone to share bank details, or to reveal information that could be used to create false identities.
This allows them to divert payments or apply for fraudulent loans. These crimes leave less of a footprint so the stolen information can retain its value for months, giving the hacker plenty of opportunity to find black-market buyers. Businesses can respond, for example, by using multi-channel security systems that can’t be accessed simply by stealing a password.
- VPN services will protect your privacy. Check some of the best VPN out there.
3. Low and slow fraud
Finally, there are the low-and-slow fraudsters whose primary aim is to avoid detection for as long as possible. One example would be those cybercriminals who target retailers by diverting small numbers of deliveries from real customers to themselves.
Providing they only steal a small number of deliveries, the ‘lost’ items aren’t enough to raise the alarm and the criminals can carry on stealing undetected for many months. Simply by identifying this as a threat, would-be victims can set up alerts to spot the fraud earlier and intervene.
Forewarned is forearmed
In each case, the data that criminals want to steal, and the warning signs businesses are looking for, are very different. So how do businesses use this knowledge to better protect themselves?
The first step is for managers to understand which data they hold is most valuable. For some, this might be the passwords consumers use to log in to their site, knowing that people often use the same passwords elsewhere. For others, the invoice data and bank details they hold for clients might be significantly more valuable.
The second step is to understand that cybercrime isn’t a problem you can fix with one IT update, or by revisiting security every time data breaches make the news. Cybercriminals are constantly working to outwit their victims, and so businesses need to see this as an ongoing battle where security is under permanent review.
- Andy Barratt is UK MD of international cybersecurity consultancy at Coalfire