I’m not a big fan of vampire movies—I’d pick Blackhat over Abraham Lincoln: Vampire Hunter any night of the week—but there are a lot of similarities between hackers and vampires.
- First, they’re afraid of the light. What hacker wants his true identity to be revealed?
- Second, they suck the blood out of their victims. Whether stealing data or demanding payment for ransomware, “bloodsucking” is one of the kinder adjectives used to describe cyber criminals.
However, even though vampires are theoretically immortal, vanquishing them is pretty straightforward; any True Blood fan can tell you that a wooden dagger or silver bullet will do the trick. It’s not quite so easy to stop hackers in their tracks.
Encryption can be effective …
… but it’s not a stake through the heart of hacking.
Data encryption is a highly effective defense against hackers, particularly in achieving HIPAA compliance to protect Protected Health Information (PHI). By using sophisticated techniques such as (encryption) key rotation and key lifecycle management, hackers that manage to break in and get their hands on data can’t do too much with it because the data will be encrypted.
That’s true, but there’s one problem. Data needs to be decrypted to be used, and that means it’s easy for employee negligence to open the door to hackers. Unencrypted data is replicated across systems, stored in PDFs, saved on laptops and carried around on thumb drives. In searching for weaknesses in healthcare organizations’ storage of PHI, hackers first look for data that’s not encrypted, stealing it unnoticed in a crime of opportunity. Downstream, PHI fuels financial fraud by allowing cyber thieves to create false identities.
In 2015, the year in which an astounding 112 million patient records were stolen, employee negligence was the number-one security issue.
Biometrics are trending …
… but they aren’t the silver bullet. (I realize some purists say silver bullets kill werewolves, not vampires, but stick with me anyway.)
To protect against consumer financial fraud, there’s a lot of buzz now about using biometric information — fingerprints, iris and facial recognition, and other unique physical characteristics — to authenticate payment card transactions. Here’s a typical cheer:
“Retail leaders should implement biometric authentication as an alternative to the EMV and other bankcards. Identity should be tied to a person — not a card. This is especially true in today’s omnichannel world where an EMV chip won’t protect fraud that occurs outside of a brick-and-mortar establishment.”
Like encryption, however, biometrics are not a silver bullet to stop hackers. As a defense mechanism, biometric authentication is actually worse because it can create a false sense of security. But once that information is corrupted or stolen by hackers, how do you prove who you really are? This excellent article in Scientific American captures the high-level privacy and cybersecurity implications that should be central to any discussion of biometrics:
“… [O]nce your face, iris or DNA profile becomes a digital file, that file will be difficult to protect. As the recent NSA revelations have made clear, the boundary between commercial and government data is porous at best. Biometric identifiers could also be stolen. It’s easy to replace a swiped credit card, but good luck changing the patterns on your iris.”
The best defense is vigilance
When it comes to ever-more resourceful and clever hackers, there is no single technology that can stop these criminals in their tracks. The best defense is constant vigilance.
All defenses can be compromised, and when that happens, you need to know it – and quickly. FICO® Cybersecurity Solutions deliver exactly that, allowing enterprises to identify emerging cyber threats and fight cyber crime in real-time. In doing so, FICO solutions help to reduce the dwell time of cyber threats, to dramatically narrow the window for potential damage.
To keep up with my latest musings on everything from vampires to hackers, follow me on Twitter @dougoclare.