Cyber Darwinism: Why Data Security Shouldn't Be Survival Of The Savvy

The internet is a dangerous place and we've reached a point where simply going about our online business is fraught with risks. You just don't know what's lying behind a link, or which advertisements popping up across web pages are potentially malicious. Security experts have recited the same advice for years - don't open attachments from people you don't know, choose complicated passwords, don't use unsecured public WiFi - the list goes on. But, in reality, how much does this go in one ear and out the other of the average person? The vast majority of people are not security savvy and yet are expected to fend for themselves in the wild west of the internet.

Organizations can do their utmost to encourage users to adhere to the basic principles of cyber hygiene but there's little they can do to enforce completely safe behavior in a practical way. Many consumer-facing banks, for example, have for years offered customers free anti-virus or software to protect themselves when banking online, but only a tiny percentage of people take them up on the offer. Short of threatening to refuse services to consumers not properly securing themselves, banks must accept the risk of transactions from malware-infected devices. It's a case of repeating the advice and hoping it's heard and acted upon - fingers crossed!

The challenge for organizations is that it's not just the consumer that suffers from their poor data security practices. Unsecured consumer endpoint devices create a huge exposure for online services they're accessing, particularly with respect to fraud - losses due to bank fraud are at an all-time high. In fact, research released this week by the Federal Reserve Bank of Minneapolis shows that three out of four financial institutions reported incurring fraud losses, with one of the most frequent reasons being the fraudulent use of account numbers online.

All in all, relying on end users to adequately protect themselves has proven to be a failed approach. And with malware becoming increasingly sophisticated and capable of multiple methods of data exfiltration, aging anti-virus products available to dutiful consumers clearly are no longer the solution to tackling the issue.

The answer is pretty straightforward: seamlessly protect the full transaction stack without the need for consumers to do anything at all. Historically, protection has focused on the endpoint, but why take on the impossible task of securing the entire endpoint when most sensitive transactions take place in web browsers? By wrapping individual browsing sessions in an invisible layer of protection you can block malware from accessing or exfiltrating data. Even when malware is present on the endpoint, it can't get the data it's there to steal.

This approach requires absolutely no action to be taken by the end user. As soon as they visit a website where the technology is enabled they will be protected automatically - without any need to download any cumbersome software on the device. By providing the protection automatically, we can render the security posture of the endpoint a moot point and, as a consequence, dramatically reduce the risk of fraud for banks and other businesses enabling sensitive transactions online.

Trevor Reschke

One of the foremost experts in cyber-terrorism. A former Counterintelligence Special Agent specializing in digital investigations, incident response, and vulnerability assessment for the US Army Regional CERT in Europe.