Brand Protection is Risk Mitigation

Background

Commercial organizations have for long relied on PR firms and mass marketing to showcase them in a favorable manner. From TV commercials to social media ads to statements boasting about accomplishments and products alike, private sector organizations always find ways to capitalize on anything that would improve their brand name. But when it comes to proactively protecting their brands against cybercriminal exploitation, organizations seem lackluster, or at least inattentive.

Part of cybercriminals’ bread-and-butter is exploiting (i.e., impersonating; counterfeiting) organizations’ brands to manipulate said organizations’ employees and, importantly, customers to make financial gain. Tricking the latter into giving up their personally identifiable information (PII), such as log-in credentials – whether through phishing or social engineering and the like – has effectively become a nightmare for financial services, retail companies, airline corporations, and various others. This has placed their brand names in jeopardy and their credibility and reputation in the crosshairs of customers, critics, and the competition.

The impact of breached and stolen PII – including financial information like credit card numbers and bank account details – as well as spoofed, phishing domains, is massive. It enables cybercriminals to cast a wide net and target numerous individuals and companies, distributing malware or convincing them to give up additional information that would impact the organizations’ confidentiality, thereby impacting the customer trust and tarnishing organizations’ brand names – and they could potentially face legal liabilities.

The notion that banks and retail companies are not able to protect customer data or secure them against fraud has fueled a major backlash over the past five years.

And 2021 won’t be any kinder. Brand protection has never been as critical as it is today.

 Why PII is Everywhere

We willingly and regularly give out our personal information to social media companies, e-commerce apps, delivery services, financial institutions, shopping centers, and various others. Our information is literally surrendered to numerous third parties, who in turn also share it with other third parties, and so on.

Our PII is being efficiently collected through both legal and illegal means. In the former, we willingly provide it to a range of parties, and in the latter through targeted attacks and breaches. For cybercriminals, this mass data is a gold mine and the gift that keeps on giving. The more, the merrier!

 The Impact on Brand Reputation

The impact on companies is heavily financial, with immeasurable negative impact on the brand names. When criminals exploit the brands or when the customers become disenfranchised by the ineffective protections in place, organizations face heavy monetary repercussions.

Let’s take financial details as an example, given that this data is effectually the most profitable in the criminal underground. According to the Dark Web Price Index 2020,[1] stolen banking log-in information, with a minimum balance of $100, goes for $35 for each record, while those with a minimum balance of $2000 go for $65 each. Similarly, hacked credentials – such as Gmail (average of $155 each) and Facebook (average of $74 each) – are a huge market. And billions of compromised credentials are lurking in the cybercrime netherworld. Since a great number of people use the same credentials to access various social media and banking accounts, the game is as easy as launching credential stuffing attacks – where email and password combinations for one site are used to access others.

With a billion-dollar illicit underground economy – in large part consisting of criminal vendors and buyers – the demand is high and on the rise every year. According to MacAfee, in 2021, the cybercrime cost will exceed $1TR[2], a staggering 40% increase from 2018 – a big part of which is “online fraud and financial crimes, often the result of stolen personally identifiable information.”[3]

The consequential impact on organizations’ brand names is clearly astronomical. Organizations have faced the following as a result:

-      Financial Liabilities: In 2019 and 2020, the cost of a data breach on average was approximately $3.9 million, a 12% increase from 5 years ago. Data Protection acts (i.e., GDPR) places companies in hot waters with hefty fines as well. Add to that the cost of the fraud, the additional resources required to constantly assess the fraud claims, the cost of customer success staff, and the cost of client churn. All of this equals significant financial loss.

-      Overwhelming Resources: each fraud incident costs financial services and retail companies money. But also, they overwhelm the existing staff that is normally under-equipped to deal with a mass volume of inquiries. The more that breaches and fraud occur, the more organizations need to hire additional resources to remedy the situation, and then place additional resources for more defensive protection in place.

-      Brand Damage: with each customer loss, the competition gains a leg up, allowing them to take advantage of this gain by tarnishing the targeted brand’s reputation. Regaining customer confidence and loyalty is an up-hill battle and requires additional PR and marketing resources. Simply, bad PR is a major business risk, and proactive brand protection becomes more important than it has ever been.

How Threat Intelligence Can Help

With the vast flow of personal information in the criminal underground, the increasing number of breaches – particularly with increasing remote work – and organizations’ lack of visibility into who possesses and monetizes it, it’s imperative that organizations focus on protecting their brand by diminishing the avenues through which the data has a high potential of being exploited.

Organizations must continuously monitor the criminal underground where the employee, client, VIP, and company data are being posted, bought, sold and exploited, such as Dark Web criminal forums and marketplaces. While most organizations don’t possess such capability, specific threat intelligence solutions provide this sort of visibility and constant monitoring of compromised credentials, financial information, company brands, spoofed domains, IPs, and a range of other critical data assets.

Anti-phishing solutions allow organizations to prevent some attackers from impersonating their domains, thus diminishing potential damage to their brand and reputation. Moreover, continuous monitoring of social media profiles that attempt to impersonate those of legitimate companies is critical – enabling targeted organizations to gain knowledge and work on taking them down.

Anti-counterfeiting intelligence goes into full swing here. Monitoring online black markets that sell counterfeit goods is a great place to start. Here, intelligence analysts are able to look into which brands are impacted, and the various tactics and procedures used to purchase and ship the counterfeit goods.

It is imperative that organizations look into training their security teams to investigate any breaches and leaks of their data assets and bring onboard the most suitable monitoring and take-down services, such as Account Takeover (ATO) prevention, Dark Web monitoring, anti-fraud and AML solutions, and Digital Risk Management (DRM/DRP) solutions. High net-worth organizations undoubtedly will require heavier monitoring of a higher volume of data assets and PII sets, and potentially a higher volume of take-down services.

Moreover, third-party auditing is fundamental. Most organizations rely on third parties to provide services, sharing with them a significant amount of client and employee data. Ensuring that third parties haven’t been breached or the target of a cybercrime has the potential of significantly reducing the chances of compromise.

Importantly, it is critical to think of brand protection in a programmatic way and not merely patch the challenges with single solutions. Afterall, onboarding any solution must fit within the overall security structure that organizations have in place. This includes thinking clearly about investigative processes and automation of intelligence artifacts, and how this process coexists with the mechanics of the SOC teams – those in charge of making decisions on and onboarding security solutions.  

[1] https://www.privacyaffairs.com/dark-web-price-index-2020/

[2] https://ir.mcafee.com/news-releases/news-release-details/new-mcafee-report-estimates-global-cybercrime-losses-exceed-1

[3] https://www.securitymagazine.com/articles/88710-cybercrime-cost-600-billion-and-targets-banks-first