Each new data breach casts doubt on whether personal data can ever truly be kept private. Despite increased efforts to improve security and prevent hacking, major sites continue to become the targets of global hackers. What do these breaches teach businesses and users about modern cybersecurity, and what can be done to minimize future risks?

What can we learn from data breach incidents? Lessons learned from data breach cases.

Millions of Users Compromised on Instagram

In March 2019, Facebook announced in a blog post that tens of thousands of Instagram users’ passwords had been “accidentally” stored in a format readable by third parties, although the social site claimed none of the passwords were “internally abused or improperly accessed.” By April, the number of affected users had increased to the millions, suggesting the breach was much more extensive than was first believed.

All affected users should have been notified by Facebook, but despite the apparent lack of malicious activity, the full impact of any vulnerability may not always be known. With no indication of who might have had access to the passwords or how the data might be exploited, it’s possible information associated with the accounts could have been compromised.

Instagram was in the spotlight again about a month later when information on 49 million users, including celebrities and popular influencers, was discovered in a database belonging to Chtrbox, an influencer marketing site. Information was reported to include profile pictures, likes, shares, follower counts, locations, phone numbers and email addresses.

Chtrbox claimed only 350,000 records were in the database, all compiled from publicly available information and not Instagram itself. If any of the data did actually come from Instagram, it’s possible a flaw in the website, which may have existed since October of prior year, could be to blame. The database was “inadvertently left unsecured for approximately 72 hours” before being fixed. 

Canva Design Tool Attacked and Breached

Other sites are equally vulnerable even when they don’t contain the same level of personal data found on social media platforms. A breach of the Australian design tool Canva highlights this unsettling reality. Canva allows users to create custom images for social media posts and profiles, email marketing, blogs and print advertising and was recently breached by an opportunistic hacker going by the name “GnosticPlayers.”

The hacker claimed to have stolen data on 932 million users from 44 sites across the web, including Canva which closed its database server after detecting the breach in mid-May 2019, but it was too late to prevent 139 million records from being compromised. Seventy-eight million of the affected users sign into Canva through Google accounts, which could put additional information outside of the design platform at risk.

Canva assures its users no login credentials were compromised because all passwords for the site and third-party login options are encrypted and impossible to decode. However, it continued to advise users to change passwords for Canva accounts as a precaution. 

How Should Users Respond?

The smartest thing for individuals to do after a data breach is to change passwords for the affected sites and any sites where the same email address and password combination are used. Those signing in through a third party, such as Google, may also want to consider updating those passwords, as well. Even though affected users receive notification from companies that experience a data breach, a password reset is always a good precautionary measure following data compromise.

Creating stronger passwords, eliminating duplicates and managing password information more carefully reduces the risk of multiple accounts being compromised. Adopting the highest security settings and adding firewalls, anti-spyware and anti-malware programs to all devices can provide another layer of protection during daily work and web browsing. 

How Should Businesses Respond?

Companies handling any kind of personal information need to implement more sophisticated security measures and take advantage of solutions incorporating artificial intelligence and machine learning to monitor network use and detect anomalies suggestive of possible malicious activity. Early detection is key in preventing extensive breaches, and technology is continuously being updated to handle new threats.

IT professionals trained in disciplines relevant to breach prevention can help business owners develop and deploy improved cybersecurity plans and educate both employees and customers in better password management practices. Some companies are dealing with increased threat risks by phasing out passwords completely and introducing more secure login options.

It’s unlikely breaches will ever stop completely, but businesses and users are responsible for taking proactive steps to reduce risks as much as possible. For IT professionals, massive breaches like those affecting Instagram and Canva highlight the growing need businesses have for better access control and cybersecurity protocols. Individuals with knowledge and experience in identity risk management and identity theft prevention can provide the guidance required to identify potential vulnerabilities and thwart hackers before millions of records are compromised.

Identity and access management certifications

For banks, credit unions and other financial institutions, verifying the identity of customers is of vital importance. Compliance regulations are becoming more complex, requiring more diligence and detail during onboarding and throughout the customer lifecycle. Among these regulations is the “know your customer” (KYC) process, which may directly affect how institutions handle identity management.

Know Your Customer information by Identity Management Institute

What is Know Your Customer (KYC)?

When a customer wants to do business with a financial institution, it’s up to the institution to make sure the person is who he or she claims to be and the transactions being performed are legitimate. At its most basic, KYC means getting a better understanding of each customer’s identity prior to entering into any kind of relationship or agreement. The process prevents individuals on prohibited lists and those with whom doing business poses too great a risk from negatively impacting operations.

The KYC regulations began in 2001 as part of the Patriot Act and include two main requirements:

• Customer Identification Program (CIP), in which identifying information is gathered and analyzed 
• Customer Due Diligence (CDD), a predictive approach to fraud prevention requiring knowledge of customer behaviors to assign risk ratings and detect anomalies suggestive of fraud

Maintaining KYC compliance through these processes poses a challenge in light of the changing nature of identity and the growing volume of customer data in a connected age.

How Do KYC Rules Impact Identity Management?

In combination with other anti-money laundering (AML) regulations, KYC is meant to help minimize problems with fraud, money laundering and the siphoning of funds to terrorist groups. By identifying customers as legitimate or risky before giving them the green light, CIP and CDD should, in theory, reduce the number of fraudulent or illegal transactions and lessen the likelihood of identity theft.

However, implementing CIP and CDD can complicate the process of identity verification, making even simple transactions cumbersome and creating bottlenecks for both customers and institutions. Getting a more detailed understanding of identities requires customers to collect and present a greater number of documents, which financial institutions then must verify as genuine.

Due to the longer process, onboarding time has already jumped significantly since more institutions began complying with KYC. In 2016, it took 22 percent longer to onboard corporate clients, and the process slowed down another 18 percent the next year. This can have a serious impact on a bank’s ability to build its customer base and makes it nearly impossible for businesses to complete important financial tasks during the onboarding period. 

How Can Businesses Become KYC Compliant?

As with other regulations implemented to protect privacy, minimize fraud risk and combat identity theft, failure to comply with KYC can carry hefty fines. Between 2008 and 2018, financial institutions in the U.S. alone had to shell out $23.52 billion as a result of noncompliance, representing a large percentage of the $26 billion global total.

What can businesses do to avoid penalties?

Cybersecurity experts, particularly those versed in identity theft prevention, can help clarify the confusion surrounding identity management protocols, and KYC analysts are available to lessen the burden associated with identity verification and policy implementation. With the help of these professionals, businesses are better equipped to maintain compliance through:

• Smarter, more thorough customer onboarding procedures
• Ongoing monitoring using automated tools and artificial intelligence
• Identification of unusual behaviors indicative of fraud

These processes make it easier to identify high-risk customers and flag possible cases of identity theft before significant damage is done or compliance is threatened.

The Best Approach for Compliant Identity Management

With 16.7 million victims of identity fraud in 2017 and $16.8 billion stolen as a result, financial institutions can’t afford to ignore KYC. Compliance can be considered part of what’s now known as customer identity and access management (CIAM), the next step in the evolution of modern identity management protocols. CIAM adds another layer to traditional IAM to help businesses address the complications of an increasing number of identities, platforms, devices and touchpoints.

Minimizing the risk of fraud and identity theft in financial transactions requires continuous identity checks and verification during the course of the customer lifecycle, for which businesses can invest in seamless digital verification solutions. These solutions are compatible across platforms and can be scaled to handle global transactions. This aids in streamlining an otherwise cumbersome process and may help offset the average annual KYC compliance cost of $48 million.

For IT professionals, staying on top of KYC regulations is necessary to help financial institutions and businesses deal with the challenges of identity management in the modern era. Businesses need help staying compliant, and compliance requires a strategic approach to verifying and protecting customers’ identities. Certification in identity theft and fraud prevention can help IT professionals bring knowledge and expertise to businesses seeking guidance with KYC compliance.

Identity and access management certifications

Managing user identities and permissions is an essential component of cybersecurity, particularly at the enterprise level. Increasing numbers of devices and a greater diversity of device types calls for a smarter, more detailed approach to network security, and businesses are turning to artificial intelligence (AI) for help.

Breaches, Cybercrime and AI

The threat of a breach is significant for today’s companies. Two-thirds of organizations experienced a breach in 2016, and the global cost of cybercrime in general is expected to reach $6 trillion by 2021. Exposure of personal information is of particular concern. While breach numbers fell 23 percent between 2017 and 2018, 126 percent more records were compromised

Although better identity and access management (IAM) practices can lower the risk of cloud breaches by 63 percent and server and application breaches by 46 percent, thereby protecting user and consumer data, the vast majority of organizations lack a “mature approach” to IAM. Enterprises are attempting to remedy the situation by introducing artificial intelligence (AI) into their security protocols. About 15 percent of enterprises currently use AI, which has the potential to both minimize breach risk and improve business operations.

Smarter Workflows through Intelligent Access

Role-based access is a common approach to IAM, but it can fall short in workflows in which employees need short-term or one-time access to network assets. Even with a single sign-on model, users may be required to sign into multiple different applications to complete a single task or project, which can significantly slow down day-to-day business activities.

Granting special access has its own challenges. There’s always the chance access won’t be properly revoked when permissions are no longer needed, and accounts with more privileges are attractive to hackers looking for easy ways to infiltrate networks.

Using AI can minimize the risk of both workflow bottlenecks and increased account vulnerability. With AI-powered security, businesses can implement continuous authentication protocols in which user activities are monitored on an ongoing basis during sessions using a robust set of identifiers, including visual and audio cues.

Fine-Grained Access at All Permission Levels

Continuous authentication is a must when privileged accounts are required. AI provides the means by which businesses can monitor all user activities and behaviors within their networks on a moment-by-moment basis. With the security system always checking for anomalies and unusual patterns, it’s possible to fine-tune access privileges and revoke access when a user doesn’t behave as expected. Such security measures can be implemented to cover every device connecting to a business network, regardless of platform or location.

As of 2018, 32 percent of organizations were relying completely on AI for cyber threat detection, which indicates the technology is paying off. To get the greatest benefit, however, security systems must be provided with as many identifying factors as possible. A more robust identity profile for each user creates smarter access control across the network.

Learning and Intervening Without Humans

AI is often combined with machine learning (ML) to create powerful tools for breach detection and prevention. As users interact with a network, ML algorithms “learn” their normal behaviors and can adapt in response to this information. This technology is making it increasingly possible to automate security and reduce the number of alerts requiring human attention.

Growing businesses and enterprises need automation to handle an otherwise overwhelming amount of user data. Adding even a few users to a network introduces new behavior patterns with variations and nuances unique to each user. Monitoring these behaviors and identifying discrepancies becomes almost impossible in large networks, but AI and ML can keep up where human efforts fall short.

Better Responses to Incidents

So far, AI is showing the most promise when it comes to incident response. Between 2015 and 2016, the number of days it took organizations to detect a breach dropped from 146 to 99, a significant change considering the amount of damage hackers can do in a short time.

Using predictive analytics, security systems with AI components are better equipped to estimate the potential extent of a breach and the level of risk at the time of detection. This sets interventions in motion sooner, whether from a human cybersecurity team or the AI tool itself. With the help of ML algorithms, AI can determine when user behaviors require a lockdown of certain parts of the system and minimize data loss by preventing hackers from getting any deeper into the network.

For IT professionals, AI represents the next frontier in security and access management. The demand for trained security professionals is likely to keep growing as AI and ML become more powerful and give rise to new options for breach prevention. Certification as an identity and access management specialist or technologist provides both the knowledge and experience to help businesses keep up with the changing IAM landscape.

Identity and access management certifications

Consumers are a high-risk group when it comes to identity theft. According to the 2018 Identity Fraud Study by Javelin Strategy and Research, 6.64 percent of all consumers, or 1 in 15 people, were victims of identity fraud in 2017. Account takeovers jumped 61 percent between 2015 and 2017, and those with social media profiles were 30 percent more likely experience account compromise.

This spike in malicious activity presents a serious concern for business owners trying to protect their customers’ data and identities. With a new case of identity theft occurring every 2 seconds, it’s essential to employ professionals possessing the knowledge and experience to minimize consumer risk and ensure safer network environments.

How Can CIPA Certification Help?

The Certified Identity Protection Advisor (CIPA) designation is for “professionals who can educate, guide, and support consumers with their identity theft prevention, detection, investigation and resolution solutions.” As a registered trademark of the Identity Management Institute (IMI), this certification signifies a person has the skills to address the growing problem of identity theft among consumers and provide education to “lower fraud losses”associated with consumer information and identity compromise.

The benefits of becoming a CIPA aren’t limited to individuals working in IT. Anyone whose job or industry deals with situations in which identity theft is a serious potential problem can take advantage of CIPA training. This includes those providing healthcare, insurance, legal advice and financial or accounting services, as well as law enforcement officials. By offering “strong identity theft protection training,” CIPA certification prepares professionals in all these areas to address the unique challenges involved in dealing with consumer accounts and data protection.

Symantec reports an alarming 87 percent of customers have left personal information exposed when accessing accounts containing sensitive data, such as email, banking and financial services, indicating many are ignorant of rudimentary security measures. Since a single compromised account can lead to a devastating breach, businesses need help educating consumers in the basics of identity theft prevention. 

What Are the Benefits of Being a CIPA?

In the business world, there’s a growing need for professionals to help address the challenges associated with identity theft. Business owners don’t have the time or resources to teach customers how to avoid every possible action known to leave personal accounts vulnerable to attack.

A CIPA designation gives professionals the ability to aid in minimizing threat risks to consumers and the companies with which they do business. This offers a “competitive edge” in the cybersecurity market and makes CIPAs more desirable as potential hires, specially when combined with other identity and access management certifications. High-risk organizations in particular require the guidance a CIPA can offer when seeking to reduce the overall likelihood of a breach.

Because CIPA training and certification provides a detailed understanding of identity theft risks and protection solutions, professionals with this designation are able to:

• Share and follow best practices for avoiding identity theft
• Develop and implement identity theft risk management plans
• Set up and maintain tools to detect potential fraud
• Direct customers in their rights and business in their obligations regarding data protection and breach prevention
• Help consumers investigate and resolve identity theft cases in a timely manner

Potential employers see certification as confirmation of a professional’s skills in these areas and recognize the benefit of hiring a CIPA over someone without specialized training.

How to Get a CIPA Certification

The Identity Protection Advisor certification is only offered through the IMI and requires membership to apply. Professionals wishing to go through the training and take the exam must sign up using the CIPA application on the IMI website.

Once an application is pre-approved, candidates must pay a certification fee, plus any applicable membership fees. The certification fee includes a study guide and the cost of the exam itself. A short CIPA video training is also available for an additional fee. Candidates have one year from the time payment is received to study for and pass the exam with a score of at least 70 percent. CIPA candidates can also order the Credit Report Review and Error Correction Guide video training.

There are 10 “Critical Risk Domains” (CRDs) covered in the training and certification process, including fraud detection, theft and fraud prevention, risk management, relationship management, awareness and investigation and resolution. Knowledge from each domain is required to both pass the exam and provide essential identity theft prevention services to businesses and their customers. 

Professionals who qualify for certification with a passing grade are required to remain IMI members and pursue continuing education opportunities to maintain the designation. These include:

• Reading relevant books
• Writing articles, books or training materials
• Attending or teaching training courses
• Attending seminars and conferences

For more information on becoming a Certified Identity Protection Advisor, visit the IMI’s CIPA certification page. See details of the risk domains covered on the exam, take a practice test and explore other certifications for professionals seeking to expand their skills sets.

Changing cybersecurity concerns impact every organization handling sensitive personal data. The latest trends in identity and access management (IAM) point toward a future in which most data and applications reside in the cloud and the concept of a “user” becomes more and more flexible. For IAM specialists, the challenge lies in keeping up with these changes and understanding how to adapt security protocols to meet the needs of clients across industries.

IAM Meets UEM for Stronger Device Security

Until recently, functions in IAM and unified endpoint management (UEM) overlapped, but each solution ran on a separate platform. As the number and types of devices used to access networks increases, it’s becoming necessary to bring the two together into a single system for easier management.

UEM involves “securing and controlling” all the devices on a network in a connected, cohesive manner from a single console. Devices may include:

• Desktop and laptop computers
• Smartphones
• Tablets
• IoT devices

Businesses of all sizes are now dealing with situations in which employees access applications and data from multiple devices, often moving between devices during the workday. Each device needs to be not only monitored but also secured to prevent data compromise or theft.

Some IAM providers are beginning to add UEM capabilities to their offerings in response to these changes, and UEM companies are doing the same with IAM. However, for companies not using comprehensive platforms, it’s necessary for IT professionals to seek IAM and UEM solutions designed for smooth integration to ensure there are no gaps in security coverage. 

Microservices Increase IAM Flexibility

Device diversity and complex workflows require flexible environments for access and security. Vendors are making this easier for developers and end users by modularizing common IAM functions into “microservices.”

In a modular system, services like token validation and authentication are provided as independent, self-contained modules, which can then be connected using integrations. Communication via APIs keeps services independent of any particular platform or operating system, so developers can also incorporate IAM modules into apps. Integrations can be challenging when grouping modules from different vendors, but these links are essential for proper communication. Information must flow uninterrupted between modules for access and authorization to remain efficient.

Cloud Migration Requires Updated Access Roles

Just as IAM structure is changing, so are definitions that were once clear. In the past, a “user” was a person and a “machine” was a single device, usually a computer or workstation. Today, a user can be an actual person, an application, a mobile device, an IoT device or anything else requiring access to or within a system. Machines may be applications, systems or devices of any type.

Cloud migration is part of what’s driving this change. By the end of 2019, half of all enterprise workloads will be in the cloud, and IAM services are also moving to cloud environments. This shifting landscape requires a new approach to access management, although not all businesses are on board. Some still handle and store identity information on premises and are either unwilling or not yet ready for a completely cloud-based solution.

However, on-premises security measures are no longer sufficient to address the concerns presented by complex modern systems. Businesses must go beyond the basics and consider adopting a more aggressive approach, such as zero-trust security. With so many endpoints to consider, the granular control offered by zero trust is becoming an essential part of cybersecurity protocols.

Over 80 Million Households Exposed in Latest Massive Data Breach

A database recently discovered by a team of Israeli data security experts highlights the critical importance of IAM for all types of organizations. As part of their work at vpnMentor, the team was performing a sweep of unsecured cloud databases with the intent of notifying owners of the need to protect the data.

The database contained information on more than 80 million U.S. households, and all individuals in the database were over age 40. At first, no one was sure where the data had come from or who had compiled it, but later reports showed it apparently belonged to company offering insurance, healthcare or mortgages. Only some of the data was encrypted; other information was readily accessible. Exposed information may have included names, addresses, genders, marital statuses and income levels.

Since the discovery of the database, which was hosted on a Microsoft server, Microsoft has removed the information and notified the owner. However, it’s unclear how long the database existed or whether any of the data was compromised by hackers.

Identity and access management certifications

Without dynamic, adaptive security systems equipped to detect subtle changes in user behavior and prevent unauthorized access, the risk of breaches in these types of situations remains high. Businesses and organizations need qualified cybersecurity specialists to develop robust protocols designed to protect systems from today’s sophisticated hackers.