3 ways to protect your organization from identity-based cyber attacks

The pandemic has accelerated progress towards remote working and digitization. With so much more personal information now online, companies, institutions, infrastructure and even democracies are being maliciously targeted by actors wishing to exploit it. Industries responsible for the administration and deployment of critical infrastructure – energy, telecommunications, healthcare, transportation and finance, to name a few – are particularly vulnerable.

The telecommunications (telco) sector, for example, deals with large volumes of sensitive data. During the pandemic, people all over the world relied on this technology to collaborate remotely. This has made the sector uniquely vulnerable to cyber attacks that target and exploit personal information for data, system or network access, or for financial rewards. We call these 'identity-based threats.'

Identity-based cyber attacks can come in many forms, like phishing, credential stuffing, impersonation and fraud. A case study from Deloitte revealed that government agencies continue to breach international telecommunications systems to establish covert surveillance on various communication channels, including phone lines, online chat platforms and mobile phone conversations. There was even one case in which a cyber attack from one nation blocked another nation's leaders from using their mobile devices.

In the case of telecommunications, the prevalence of exposed identity-based data linked to major companies is especially severe. Constella Intelligence’s most recent Telco Sector Exposure Report identified nearly 4,900 total breaches and leakages and more than 5.6 million records exposed from the 20 top telecommunications companies between January 2018 and September 2021. Much of this personal data – including names, addresses, social security numbers, bank routing details or medical data – is available in dark web forums, where it can be purchased and subsequently used for criminal purposes.

Organizations must have plans in place to deal with attempts to target and exploit the personal data and identities of customers and employees. They must commit adequate resources to manage the converging digital and physical risks of identity-based cyber attacks, as almost 50% of security leaders report an increase in physical security threats and incidents at their company over the last year.

Here are three steps organizations can take to protect themselves and their customers.

Risks are best mitigated through early detection practices. Geographic proximity is no longer an adequate measure of risk, as identity-based cyber attacks and scams can be launched from anywhere in the world. In September 2022, The Australian Media and Communications Authority levelled nearly $200,000 in fines for failures to run comprehensive identity checks when transferring mobile phone number data, resulting in compromised email and banking accounts and other fraud-related issues for some customers.

China is also making staunch efforts to curb telecommunications-related cybercriminal activity, closing 594,000 fraud cases in just 15 months. National authorities determined that scammers typically work in groups and follow strategically worded scripts to develop relations with unsuspecting targets through online chat programs. The incentives that drive criminal chains across the globe indicate an urgent need for continuous, proactive threat monitoring and detection across the mainstream internet and dark web to protect identities and organizations.

If companies do not proactively protect their customers' and employees' identity-based data, they will likely be exposed to severe legal and financial penalties. To understand the potential ramifications, look no further than the US Security and Exchange Commission’s recent fines against top companies for failing to safeguard proprietary data and customer identities.

These cases can teach other organizations how to successfully navigate new governmental requirements and implement more robust threat intelligence programs before it is too late. This means that board-level and senior leadership must be involved in crucial security- and privacy-related considerations. Key preventative steps include continuously updating a robust response plan, adequately surveilling the production and transfer of sensitive data and implementing tailored security programming for companies of all sizes and needs.

Companies must be prepared for changes in regulations around data management. Best practices include short-term and long-term preparatory actions, including cross-functional teamwork, proactive evaluation of cybersecurity capabilities and identification of technological gaps.

Although the telecommunications sector exemplifies the major risks related to identity-based data, it is not alone. Critical infrastructure organizations in energy, pharma, financial services, transportation and others are facing similar challenges. Regulators and policy-makers are more aggressively focusing on threats targeting customer and employee identities - for most companies and industries, this means increased oversight and multi-layered costs. Critical sectors must place identity-driven risk mitigation at the forefront of their cybersecurity efforts to best handle this new reality of evolving cyber attacks and increasing regulatory oversight.