Education is the key to the data security lock -TEISS® : Cracking Cyber Security
Felix Rosbach, product manager at comforte AG, outlines three critical steps to help consumers change their mindset towards cyber security.
Cyber security is being taken seriously by everyone; from governments, public services and private enterprises all the way down to the average person on the street. They all have the technology. They all have the resources. They all have the knowledge.
Everything is in sync to protect the critical data they have collected… right?
This, of course, would be the case were we living in a fantasy world, where cyber security is considered equally as important as other forms of business; and not simply as an afterthought.
Instead, there is a lack of urgency and an overwhelmingly reactive nature instilled in our genetic makeup. While this may be the current reality, it simply can’t be the norm for much longer, especially when the damage caused by cyber security is expected to reach $6 trillion by 2021.
Many have begun evolving and some enterprises have initiated positive steps to put up a fight when it comes to cyber security. In some cases, the average spend on cyber security for a business is 5.6 percent of the overall budget. These investments are traditionally used to beef up the perimeter defences and ensure the computer systems and software are continuously operating with the latest updates.
These are positive steps but unfortunately, there is still no guarantee that hackers won’t infiltrate and gain access to the data. Finding a solution that takes care of every security need is like trying to find the pot of gold at the end of the rainbow…it’s wishful thinking; and the simple fact is it doesn’t exist.
The issue: organisations need personal data to function. There are organisations that operate through selling user data which they obtain by offering “free services” to gain access to critical information. Some individuals aren’t concerned by this and are willing to hand over their details for the convenience or social benefits they offer – and this is what many enterprises bank on.
Yet, more and more, users are catching onto the specifics and have begun questioning the need for such organisations to hold their personal information. However, with many of these organisations operating from a monopoly position, the element of choice is greatly reduced, and so individuals, sometimes reluctantly, agree to share their data.
For some people, there is a general disregard or care as to what happens to their data and there is research that backs this statement. According to statistics, 35 percent of people use weak passwords and 55 percent of people use the same password for the majority of services they use. And what’s worse, 97 percent of people are unable to identify a phishing email and therefore can’t even recognise malicious behaviour. This needs to change as, ultimately, it’s their privacy, identity and even safety they are putting at risk.
For this reason alone, it has now become crucial for individuals and businesses to spread cyber security awareness. To begin this process, there are three key steps people should follow:
1) Gain an understanding of the importance of the data and the risks surrounding it. This includes knowing the chances of being affected from a data breach. It may not seem like much, but when pieces of data are put together from various sources, malicious actors can create digital profile of individuals, creating a powerful tool to commit identity fraud. In some instances, you may not even get to know that your data was exploited but registering with a service such as haveIbeenpwned.com can alert you to compromises and monitoring credit reports can identify unusual activity, such as new accounts.
2) Know your rights. The European General Data Protection Regulation was brought into law to help protect users’ rights against data misuse by organisations. Yet, despite coming into force in May 2018, many are still unaware of their individual rights. It also gives the people power to check if organisations are compliant with the regulation. As a consumer, you have the right to question the necessity of the data a business is asking for.
3) Know your options. This means individuals must know the basic steps to protect one’s privacy. Before handing over your information, examine how your data will be used – does the organisation really need the data requested to perform the service? In addition, as part of recent legislative implementations, consumers have the right to be forgotten, so it’s important to know how to exercise this right as well.
Often, when we get given the terms and conditions, we are quick to click “agree” to enable us to use the service. This approach has to change if we are to see difference made in the protection of our data. This will mean reading the conditions laid out by the organisation to validate that the data will be effectively protected, either through pseudonymisation or any other such security measures.
While this might mean more care and time is taken into analysing what data you as a consumer are willing to “sell” to get the so-called “free” services, being sure that adequate security steps are being taken will help reduce the risk of being exposed. This is only possible with knowledge and a personal strategy.
For organisations, one of the best approaches to mitigate the risk of data theft is to pseudonymise sensitive data. With modern data centric solutions like tokenisation or format preserving encryption, it is possible to pseudonymise data, rendering it useless to attackers even if they get access.
On the consumer side, more awareness events to help promote consumer protection can only be beneficial for the wider community. The best way to make sure our data is safe is to educate people. It may take a bit of time but once consumers become aware of why data protection is important – only then will we experience that all-important light bulb moment and begin to see a change.