3 ways to protect your organization from identity-based cyber attacks

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Jonathan Nelson, Director, Risk Intelligence, Constella Intelligence, Alejandro Romero, Chief Operations Officer, Constella Intelligence

• Both individuals and companies are facing an increased risk of cyber attacks that exploit identity-based data.
• Organizations must have a strategy for dealing with the exploitation of personal data of customers and employees.
• They should detect threats early, adhere to regulations and prepare for regulatory changes.

The pandemic has accelerated progress towards remote working and digitization. With so much more personal information now online, companies, institutions, infrastructure, and even democracies are being maliciously targeted by actors wishing to exploit it. Industries responsible for the administration and deployment of critical infrastructure – energy, telecommunications, healthcare, transportation and finance, to name a few – are particularly vulnerable.

The telecommunications (telco) sector, for example, deals with large volumes of sensitive data. During the pandemic, people all over the world relied on this technology to collaborate remotely. This has made the sector uniquely vulnerable to cyber attacks that target and exploit personal information for data, system or network access, or financial rewards. We call these ‘identity-based threats’.

Identity-based cyber attacks can many forms, including phishing, credential stuffing, impersonation and fraud. A case study from Deloitte revealed that government agencies continue to breach international telecommunications systems to establish covert surveillance on various communication channels, including phone lines, online chat platforms and mobile phone conversations. There was even one case in which a cyber attack from one nation blocked another nation’s leaders from using their mobile devices.

In the case of telecommunications, the prevalence of exposed identity-based data linked to major companies is especially severe. Constella Intelligence’s most recent Telco Sector Exposure Report identified nearly 4,900 total breaches and leakages and more than 5.6 million records exposed from the 20 top telecommunications companies between January 2018 and September 2021. Much of this personal data – including names, addresses, social security numbers, bank routing details, or medical data – is available in online dark web forums, where it can be purchased and subsequently used for criminal purposes.

Dealing with identity based cyber attacks

Organizations must have plans in place to deal with attempts to target and exploit the personal data and identities of customers and employees. They must commit adequate resources to manage both the converging digital and physical risks of identity-based cyber attacks, as almost 50% of security leaders report an increase in physical security threats and incidents at their company over last year.

Here are three steps organizations can take to protect themselves and their customers.

1. Early threat detection

Risks are best mitigated through early detection practices. Geographic proximity is no longer an adequate measure of risk, as identity-based cyber attacks and scams can be launched from anywhere in the world. In September 2022, The Australian Media and Communications Authority leveled nearly $200,000 in fines for failures to run comprehensive identity checks when transferring mobile phone number data, resulting in fraud-related issues including compromised email and banking accounts for some customers.

China is also making staunch efforts to curb telecommunications-related cybercriminal activity, closing 594,000 fraud cases in just 15 months. National authorities determined that scammers typically work in groups and follow strategically worded scripts to develop relations with unsuspecting targets through online chat programs. The incentives that drive criminal chains across the globe indicate an urgent need for continuous, proactive threat detection and monitoring across the mainstream internet as well as the dark web, to protect identities and organizations.

2. Proactive and thorough regulatory adherence

If companies do not proactively protect their customers’ and employees’ identity-based data, they are likely to be exposed to severe legal and financial penalties. To understand the potential ramifications, look no further than the US Security and Exchange Commission’s recent fines against top companies for failing to safeguard proprietary data and customer identities.

These cases can teach other organizations how to successfully navigate new governmental requirements and implement more robust threat intelligence programs before it is too late. This means that board-level and senior leadership must be involved in crucial security- and privacy-related considerations. Key preventative steps include continuously updating a robust response plan, adequately surveilling the production and transfer of sensitive data and implementing tailored security programming for companies of all sizes and needs.

Discover

What is the World Economic Forum doing on cybersecurity?

The World Economic Forum’s Centre for Cybersecurity drives global action to address systemic cybersecurity challenges and improve digital trust. It is an independent and impartial platform fostering collaboration on cybersecurity in the public and private sectors.

• Salesforce, Fortinet and the Global Cyber Alliance, in partnership with the Forum, are delivering free and globally accessible training to a new generation of cybersecurity experts.
• The Forum, in collaboration with the University of Oxford – Oxford Martin School, Palo Alto Networks, Mastercard, KPMG, Europol, European Network and Information Security Agency, and the US National Institute of Standards and Technology, is identifying future global risks from next-generation technology.
• The Forum has improved cyber resilience in aviation while working with Deloitte and more than 50 other companies and international organizations.
• The Forum is bringing together leaders from more than 50 businesses, governments, civil society and academia to develop a clear and coherent cybersecurity vision for the electricity industry.
• The Council on the Connected World agreed on IoT security requirements for consumer-facing devices to protect them from cybers threats, calling on the world’s biggest manufacturers and vendors to take action for better IoT security.
• The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace, which aims to ensure global digital peace and security.

Contact us for more information on how to get involved.

3. Preparing for regulatory changes

Companies must be prepared for changes in regulations around data management. Best practices include short-term and long-term preparatory actions, including cross-functional teamwork, proactive evaluation of cybersecurity capabilities and identification of technological gaps.

Although the telecommunications sector exemplifies the major risks related to identity-based data, it is not alone. Critical infrastructure organizations in energy, pharma, financial services, transportation, and others are facing similar challenges. Regulators and policymakers are focusing on threats targeting customer and employee identities. For most companies and industries, this means increased oversight and multi-layered costs. Critical sectors must place identity-driven risk mitigation at the forefront of their cybersecurity efforts.