California has always been a king of innovation – from the earliest ventures in filmmaking to today’s Silicon Valley technologies. So it’s not surprising that California has been at the vanguard of cybersecurity, being the first state to enact a breach data notification law in 2003.
Laws don’t stop cybercriminals, though – and California has seen a sharp rise in breaches the last 4 years, according to The California Data Breach Report. Consider these chilling realities:
• There were 657 data breaches involving more than 500 records from 2012-2015 – impacting a total of more than 49 million records of Californians.
• In 2012, 2.6 million records were impacted; by 2015, that number rose to 24 million.
• Nearly 3 out of 5 California residents were victims of a data breach last year.
According to the report, every industry is affected: schools, hospitals, restaurants, retailers, banks, hotels, government agencies and more. Any of them can suffer severe consequences, such as brand damage, class action lawsuits, lost business and regulatory fines. Their users and consumers see their social security numbers, payment card data, medical information, driver’s license numbers and other personal data fall into criminal hands; according to Javelin Strategy & Research, 67 percent of 2014 breach victims in the U.S. were also victims of fraud.
It’s clear that organizations aren’t fulfilling their obligations to protect their customers. Most of the breaches in California were due to security failures – and most systems were compromised more than a year after the solution to patch the vulnerability was available. These breaches could have been prevented and they weren’t.
Let’s break down the threats in play. Anyone who follows the cybercrime landscape won’t be surprised to hear that malware and hacking dominate the reported attacks, driving 54 percent of breaches and impacting 90 percent of the records involved. This type of breach has also increased by 22 percent between 2012 and 2015. The six breaches of more than one million records? All malware and hacking.
Physical breaches, such as data loss from stolen devices, and breaches caused by error (like misdelivery of email) were still a factor in the report, but came in at a distant second and third.
Stopping the Mayhem with Multi-Factor Authentication
From the report, 2 truths are clear:
• Organizations need to step up their security game and protect their consumers and the data they collect from them every day. That means sharpening their security skills and controls and implementing the right technologies.
• Passwords and usernames are not working as adequate security measures. Additional measures are needed – which brings us to the report’s recommendations, specifically for multi-factor authentication.
According to the report, “Organizations should make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information. This stronger procedure would provide greater protection than just the username-and- password combination for personal accounts such as online shopping accounts, health care websites and patient portals, and web-based email accounts.”
Multi-factor authentication works because it offers greater protection than just the username-and- password combination. Passwords aren’t always as unique, complex and concealed as they should be – and people don’t change them as often they should. Multi-factor authentication solves those shortcomings by adding additional layers that effectively thwart attacks.
Usually these factors take the form of:
• “something you know,” such as a password
• “something you have,” such as a token or a one-time code sent to a phone
• “something you are,” such as a fingerprint or typing pattern.
Criminals might be able to steal a phone or hack a password but they can rarely satisfy all of the requirements to get past multi-factor authentication.
SecureAuth Satisfies Security Recommendations
Many businesses still think of multi-factor authentication as a burden – a layer of security that comes at the expense of the user experience. But that’s yesterday’s technology. SecureAuth IdP layers two-factor and adaptive authentication to protect data in a way that’s convenient for users. By removing friction from the authentication process, SecureAuth IdP technology works with the user rather than disrupting their work flow. It also supports over 20 two-factor authentication methods, including SMS, telephony and e-mail OTPs, push notification, OATH tokens, social network IDs, device fingerprints, and of course traditional smartcards and tokens.
The result: a secure, flexible, access solution that stops hackers in their tracks – even when they have valid passwords.
It’s worth noting that SecureAuth solutions meet almost half of the 20 controls in the Center for Internet Security’s Critical Security Controls – another recommendation in the report. These 20 controls represent the minimum level of security for any organization that handles personal or sensitive data, such as:
• Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• Controlled Use of Administrative Privileges
• Maintenance, Monitoring, and Analysis of Audit Logs
• Email and Web Browser Protections
• Boundary Defense
• Data Protection
• Controlled Access Based on the Need to Know
• Application Software Security
SecureAuth and our partners can help with all of the above. Controlled use of administrative privileges? Check. Email protections? Check. Data protection? Controlled access based on need to know? Application security? Check, check, check.
Laws don’t stop cyberattacks. Technologies do. The rise in California cybercrime proves that businesses can’t wait any longer to adopt solutions that will keep their reputations, their data and their customers safe. Check out how SecureAuth IdP can deliver the advanced security solutions that are needed now more than ever.