How Consumers and Institutions Should Guard against Cybertheft
By Archie Agarwal, CEO & founder, ThreatModeler
Data breaches and cyberattacks have been hitting several of the highest-profile financial and media institutions in the last few years – Equifax saw 146 million accounts exposed in 2017 and Yahoo! suffered massive breaches in 2013 and 2014 that exposed information for more than 3 billion accounts.
While the 2013 Yahoo! breach remains the largest in history, the recent Capital One breach, which exposed 106 million customers and applicants, is a continuation of a pattern that has many consumers wondering how they can protect their private financial information.
Should customers of the companies affected by cyberattacks switch providers?
Many customers are tempted to switch banks or phone carriers when a cybersecurity incident like occurs, but it’s important to understand that just hopping over to one of the other companies doesn’t automatically make your information safer. The Capital One, Equifax and Yahoo! incidents, among others, should remind you that even the juggernauts are vulnerable to cybercrime.
Whether or not you decide to switch, there are several additional steps that individual consumers should take if they suspect they were a victim of fraud or identity theft, to both restore and secure their information and accounts. This includes identifying the type of information stolen, issuing fraud alerts with all your relevant institutions, and changing passwords and implementing two-step authentication for logins.
What should you look for in your new bank?
If you do decide to switch to a new bank to improve your security, you need to ask your potential new bank the right questions.
What are their security protocols?
What tools do they use to protect their information?
What tools do they provide to their customers to help them protect themselves?
What do they do in the event of a breach?
How can banks improve cybersecurity to prevent future attacks?
Often, institutions learn how to protect themselves the hard way – the hacker alerts them to the area of weakness … by hacking it. In the tradition of shutting the barn door after the horses have escaped, the problem gets fixed, only for hackers to find another weakness.
And unfortunately, the only Band-Aid companies such as banks and credit bureaus can offer to their customers whose information has been compromised is free credit monitoring. Equifax recently offered everyone affected by their breach either $125 in cash or 6 months of free credit monitoring, but many experts are saying that those who opted for the cash are actually unlikely to get that much if they get anything at all.
The onus is typically on the consumer to take the appropriate steps to remedy any harm caused and protect themselves in the future. That’s probably not the way it should be when these are the institutions that we must trust to bear the weight of our entire economy. So, what large-scale changes can banks implement to protect their customers and their information?
Threat modeling is how banks can try to get those barn doors shut before any horses escape. Threat modeling helps security professionals to get as far ahead of impending attack vectors as possible. Implementing threat modeling at the development stage is the best approach, as it enables companies to identify any weak spots before the infrastructure is even built. This keeps every element working tighter together to keep bad actors out, with no need for retrofitting or retooling that could open up a gap in the security framework.
ThreatModeler is an automated tool that enables development teams to create a threat model an enterprise’s entire attack surface. ThreatModeler can be used for cloud applications. ThreatModeler performs continuous monitoring of cloud environments, keeping users up-to-date on the latest changes, including emerging threats. ThreatModeler integrates with software development ticketing tools, CI/CD pipelines, and cloud environments so architects can implement security requirements to mitigate threats.
Banks and other institutions that house sensitive information, be it financial, medical or otherwise, should all invest in a threat modeling system that provides automation, predictive analytics, and scalability. Cybercriminals and Internet security professionals seem to stay neck and neck in the race to either create or stop the newest hacking tools and methods. It is only by keeping up with the technology standard of the bad guys that companies have a chance of staying ahead of them.
About the Author
Archie Agarwal is the founder and CEO of ThreatModeler. With more than 20 years of real-world experience in threat and risk analysis, Archie has been instrumental in successfully implementing secure software development processes at a number of Fortune 1000 companies to minimize their exposure to cyber threats and mitigate risks. Prior to founding ThreatModeler, he was the Director of Education Services at WhiteHat Security. Archie can be reached via email at firstname.lastname@example.org, on Twitter at @ThreatModeler and at our company website www.threatmodeler.com.