Poor password hygiene makes breaches inevitable

With 2019 on track to be the worst year ever for data breaches, this is not only bad news for individual consumers and the breached businesses but all businesses that operate online — big and small.

Recent high-profile data breaches (such as Capital One, Facebook, Equifax, Quest Diagnostics) flooded the web with users’ personal information, such as name, Social Security number, address, credit card numbers, passwords, and the like. For bad actors, that’s a treasure trove of data to be weaponized and used to commit fraud across the internet.

Put bluntly, every business has to deal with the repercussions of breaches whether directly involved or not. Why? Because most people practice poor password hygiene. According to Dashlane, a password management app, nearly half of U.S. workers use their personal passwords for their work accounts. Furthermore, a poll conducted by LogMeIn discovered nearly 60% of those surveyed also use the same password everywhere. That doesn’t just put consumers at risk, but it puts every business those consumers interact with squarely in fraudsters’ crosshairs.

So how do you protect your business and your users knowing all this information is out in the wild?

One way is to implement two-factor authentication (2FA) for high-risk accounts and/or transactions to defend against account takeover. 2FA works by requiring users to know something (passwords, PINs, usernames) and have something (typically a mobile phone or a physical dongle).

Fraudsters may gain access to users’ email addresses, usernames, or passwords via the breach of another business, but it’s unlikely they will be able to get their hands on that information plus a cell phone or tiny USB fob that a user carries with them everywhere. While businesses may not look to utilize 2FA across the board, having the process in place to be able to enact 2FA to practice dynamic friction would be a useful approach to forthcoming high-risk scenarios.

However, the effort doesn’t stop there. Encouraging businesses to look beyond the personally identifiable information (PII) being used to create accounts and start looking at the user’s behavior is beneficial in fraud detection tactics.

Is the user acting like a normal user of your platform? Are their behavioral biometrics — keystroke rhythm, device angle, mouse movement, battery life, etc. — consistent with what the user usually does? This type of analysis is difficult to do with traditional, rules-based fraud prevention solutions due to the large number of signals and interactions needed to make an accurate determination. Machine learning based on your users’ actions, combined with a global network of data, can help aggregate and analyze the myriad signals on your site.

Purchasing cyber-risk insurance to cover any costs that are associated with the fallout is also an option. But insurance policies don’t effectively mitigate the potential hit to a company’s bottom line following a breach. In the case of Capital One, a $400 million policy deductible will be used to cover credit monitoring and legal support for affected users. For public companies, data breaches negatively affect stock prices. For private companies, the costs associated with breaches can be astronomical.

If your company conducts business online, it will at some point have to deal with the fallout of another company’s breach. To protect your livelihood (and the livelihoods of your users), you need to be ready.