Taking a multi-tiered approach to rethinking the identity of your employees, partners, and customers is a good place to start. Credit: JossNatu / Getty Images Security incidents have been at record high levels throughout 2022, with the top threats including data breaches and ransomware, driving financial fraud, and losses from ransom payments. The numbers are ever rising for known malware attacks. A recent report by UK-based IT Governance identified 112 publicly disclosed security incidents in August 2022 across the United States, UK, Europe, South America, and elsewhere. These security breaches resulted in 97,456,345 compromised records. Known malware attacks during 2022 are costing companies millions of dollars. During the first half of 2022, there were a total of 236.1 million ransomware attacks worldwide according to Statista. Hackers are often leveraging clever phishing campaigns to gain access to employee credentials to initiate these attacks. Social engineering There are many different hacking ruses out there right now, but social engineering needs to be near the top of every CSO’s list of growing threats. These hacks could include everything from fake messages from banks with spam links, suspicious FB Direct Messages from friends to bad actors phishing employees’ credentials to gain access to company systems. Preying on and duping unsuspecting employees has become one of the easiest ways for hackers to access company systems. Find an unsuspecting employee, gain access to that employee’s credentials, and steal the keys to the kingdom. As the saying goes, it’s easier to get in by using the keys to the front door than hacking in through a back door. Collectively, we need to embrace a more modern and secure way to verify an individual’s identity and move past the old ways of multiple usernames, passwords, and answering security questions. Even MFA is no longer infallible. Uber, Twillio, Mailchimp hacks Any organization is at risk of a data breach or security intrusion. This is what happened to Uber this past summer. A hacker social engineered an Uber employee’s credentials and gained access to the internal Uber intranet, company Slack system, Google Workspace admin, Uber’s AWS accounts, financial dashboards, and more. Another prominent example occurred earlier in 2022 when security firm Group-IB uncovered that employees of Twilio, MailChimp, and Klavioyo were the unwitting victims of a massive phishing campaign. This attack compromised nearly 9,400 accounts in more than 130 organizations. Many of these employees were US-based and used Okta’s prevalent Identity and Access Management service. There have been other attacks earlier this year, too. I covered news of these in my CIO column back in June. For example, the Lapsus$ hack involved companies Cisco, NVIDIA, Samsung, T-Mobile, Vodafone, and possibly other notable organizations. And CSOs, note that even the platforms designed to protect you and your employees are being hacked. In August, password management company LastPass announced that its systems had been breached. CSOs and systems admins thought MFA (multi-factor authentication) or 2FA (2-factor authentication) were ideal solutions. But now even those processes are being hacked, and bad actors are gaining unauthorized access to user data and information. Emerging legislation With people falling victims to phishing/fraud attacks, legislators in both the U.K. and the U.S. are taking note. There is a proposal in the UK that would have banks and other financial institutions reimburse victims of online fraud. The Payment Systems Regulator announced in September that it wants the payments industry to change how it manages APP (Authorised Push Payment) scams. The proposed measures require banks to reimburse stolen amounts of over £100 to fraud victims. UK-based banks will be obligated to compensate a customer, even if it was a phishing attack made possible by the ignorance of the banking customer. The bank will still be obligated to help refund the lost monies. In the United States, Massachusetts Senator Elizabeth Warren is also pushing for similar legislation in the aftermath of her analysis of Zelle customers who reported stolen money. Financial institutions must pay strict attention to fraud schemes to better protect their customers. By protecting their customers, banks will also protect their bottom line. Cybersecurity issues are not just a security or brand problem; they are also becoming a punitive financial problem. How CSOs can fight back CSOs must double down on preventing phishing attempts in and around internal systems. It’s one of the most critical actions to tackle. Not only are your customers getting hacked and their information being exposed, but now even the companies that manage credentials and access control (Duo, OKTA, LastPass) have been compromised, further exacerbating the problem. Locking up the front door is still the best way to prevail against these threats. Taking a multi-tiered approach to rethinking the identity of your employees, partners, and customers is a good place to start. If you aren’t already considering doing so, it is time to start looking at the next generation of identity management and access control products being introduced into the market. These innovative systems can better establish the identity of not only the device logging in, but also the identity of the individual using the device. In addition, identity needs to be a continuous issue, not just at the beginning of the day, shift or online session. Newer AI-based systems can accomplish this without creating annoying pop-ups of continuous re-authentication, by combining a variety of behavioral and possibly biometric signals in real-time. Zero Trust has become an overused phrase in the industry, but it is now time to start deploying solutions that allow you as the CSO to truly trust who is accessing your networks and data. Related content Opinion How can CIOs protect Personal Identifiable Information (PII) for a new class of data consumers? Enterprises and data owners must ensure customer data privacy while training their machine learning models. Let us learn how. By Yash Mehta Mar 22, 2023 10 mins Data Privacy Data Science Machine Learning Opinion Signals from space: SD-WAN marks the next stage in commercialized space-based comms As remote enterprise branch locations digitally transform, requiring more bandwidth, SD-WAN sets the stage for mass adoption of space-based comms. By Ed Fox Mar 17, 2023 5 mins SD-WAN Telecommunications Opinion What your CFO really needs in periods of economic uncertainty Keeping tabs on these three topics will strengthen your relationship with the CFO and improve your capacity to tackle expanded roles in the C-suite. By Michael Bertha Mar 15, 2023 5 mins CFO CIO IT Leadership Opinion How to ensure security in a cloud migration CIO followers expound on ways to stay secure when moving to the cloud. By Paul Desmond Feb 07, 2023 9 mins Cloud Management Cloud Security Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe