The old saying goes “in this world nothing can be said to be certain, except death and taxes”, but it can be argued that data breaches should be added to that list. With an endless stream of headlines detailing the latest major organisation to lose its data either due to cyber-attack or human error, consumers can be forgiven for thinking that breaches are now just an unfortunate part of everyday life. Whether it's Equifax, TalkTalk, Yahoo or one of the hundreds of other companies which has disclosed data loss, we've reached a point where consumers can no longer take the security of their data for granted.
Expecting consumers to shoulder some of the responsibility of data security may seem unfair, but even for businesses with limitless resources, no cyber-security strategy is 100 percent watertight. The most comprehensive cyber-security setup can be undone by one person accidentally pressing the wrong button, clicking a link they shouldn't or, as we've just seen with Equifax, failing to patch – data is always at risk. So, the question is, as a consumer, where do you start? Most don't have the time, knowledge or resources to properly protect themselves, so they need a simple way to understand where they are most at risk and what to do to reduce it.
Who has more to lose?
It's assumed that criminals target the wealthiest individuals or biggest companies simply because there is more to take, with history and Hollywood's exaggerated examples shaping this perception. For example, The Great Train Robbery, The Hatton Garden job and numerous other heist films have shown us that targeting one big ‘mark' can deliver high returns.
This assumption has resulted in some believing that they won't be targeted by criminals as they don't possess the resources to attract attention. They argue that the risk is higher to those with more; but this is just perception. As the frequency of cyber-attacks continues to grow, fuelled by the proliferation of simple-to-use tools available on the Dark Web, criminals don't care about targeting specific individuals. Their attacks using phishing emails, malware and other techniques is indiscriminate. The game has changed completely. It no longer matters if you're an employee of a multi-national, a small business owner, a wealthy individual or someone less affluent, the chances of you being targeted by a cyber-criminal are similar.
Therefore, consumers have to look at things from the angle of actual risk rather than perceived risk. A wealthy person could be defrauded out of £10,000 and not care while someone living close to the line could be distraught over losing £200. The actual risk of cyber-crime can be greater to those with limited resources and they should be just as vigilant – if not more – particularly when many precautions are just a case of being security savvy in the online world.
Just as a company uses credit monitoring agencies to measure the risk associated with doing business with another firm or new customer, consumers need to evaluate their own levels of risk that come with being online.
The first port of call is to understand whether personal information has ever been lost in a breach. If they have, consumers know the risk of them being targeted is already increased and they may need to change passwords, particularly across accounts that share them, or even take more serious preventive measures such as taking out personal cyber-insurance.
The next step is to understand the significance of what's at risk as this changes what the implications could be. For instance, a stolen email address can lead to spam email and phishing attempts, while sensitive personal information – such as the social security numbers lost in the Equifax breach – can have more serious outcomes.
It's also important to recognise that the compromised information could be used potentially years after the initial data loss took place. Therefore, it's also important for individuals to regularly check to ensure they are aware when their details have been compromised, as businesses are not yet required to disclose such information to consumers. That said, this will change when the EU General Data Protection Regulation comes into force in May 2018.
Of course, online safety isn't just about responding to breaches, it requires a persistent, proactive effort. A person can do plenty of things to keep themselves safe, such as installing anti-virus and firewalls, using a password manager to ensure passwords are strong and regularly updated, keeping software and web browsers up-to-date, and restricting how visible social media accounts are to non-connections – they all help to mitigate risk. The issue is that many see these sort of steps as complex, but they're really very straightforward when the right tools and guidance are provided.
Ultimately, as more companies fall victim to cyber-crime, more of the responsibility for cyber-security will be passed down to consumers. This will come as a surprise to many who expect the security of their data to be guaranteed by businesses and have only a basic understanding of their cyber-risk as a result.
Firms must help to address the lack of awareness around personal cyber protection and empower people to protect themselves. They must get consumers to understand who is most vulnerable and where, so they can ultimately do something about it.
Andrew Martin, CEO and co-founder, DynaRisk
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.