Cybercrime awareness is no longer enough to reduce risk

People’s perceptions have changed. Not so long ago we thought nothing of kids playing outside all day alone, unchaperoned visits to a friend’s house, walking to school alone – the list goes on. But as times have changed, we have become much more vigilant about personal safety. The same can be said for the online world. The majority of us are well-aware of cybercrime and are generally on our guard for suspicious emails and websites. Yet despite this everyday vigilance, social engineers find ways to take advantage of our online behavior.

Cybercrime: We are already suspicious

When it comes to business IT security, company leaders generally want to establish a strong cybersecurity culture within their organizations. It’s a very natural thing to do. Human resources department training typically focuses on awareness and highlights typical mistakes that open the doors to a business’ systems and data. It shines a spotlight on what it means to be aware. But conducting security awareness training is not enough to reduce risk completely. Why? The truth is that most people are already “cyber aware.” We have all already formed an opinion on cybersecurity, and whom we trust.

Just think about it. How often do you hear a knock on the door these days, except from an unexpected visitor? A generation ago, a ringing doorbell was nearly cause for celebration. Everyone in the house leaped into action in near perfect unison. But people’s attitudes have changed. We are now not just suspicious, but actually distrustful, of people knocking on our door. We are conscious that not everyone who calls to the door nowadays is legit. It’s born out of the fact that we are aware of the many door-to-door scams or have been a victim of a cold caller ourselves. Besides, due to smartphones, we already know in advance if someone is dropping by – anyone else is considered an uninvited caller. In this way, the escalation of increasingly invasive marketing and social networking manipulation, coupled with technology that makes us easier to track and easier to target, has driven a culture-wide sense of security awareness.

The same can be said for cybersecurity. Nearly everyone is aware of the classic Nigerian 401 scam. In return for a few thousand dollars, email recipients are guaranteed several million in return. Word spread already years ago that this, and many others like it, was a scam; and people now ignore such basic scams out of habit. Like the bogus salesmen calling to the door, we already have a heightened sense of awareness, causing us to be more cautious.

Cybersecurity training: Awareness alone doesn’t solve the problem

There is no question that awareness of cybersecurity is high now and has been for a couple of years – and that’s a good thing. The problem is that while cyber security training within an organization is well intentioned, it is solely invested in creating awareness. At this point, however, we are way past awareness. People are already suspicious of bogus email, SMS messages and calls.

The real focus should be on personal attack surface, e.g. the aforementioned data that makes us easier to track and to target. Attention needs to be given to the significance of personal information, the sharing of it and how to defend it. While we are “aware” cybercrime exists, many of us may not fully understand the implications of actions that open the door to cybercrime. This is partially why social engineering and other large-scale data breaches are often so successful – and you only need to look at the stats.

A 2017 Tenable survey found that nearly all participants were aware of security breaches. What the survey also revealed was that many admitted to not taking some degree of precaution to protect their personal data and have not changed their security habits in the face of a public threat. Not surprisingly, another study from Stanford University and security firm Tessian revealed that nine in ten (88%) data breach incidents are caused by employees’ mistakes – and costly ones at that. In 2020 alone, data breaches cost businesses an average of $3.86 million.

So, what, in light of this, are the best steps to start mitigating risk?

Reduce Employee Burden: Recognition of a person’s attackable surface

When it comes to reducing risk through employee training, businesses need to recognize that many people fall into one of two categories:

  1. There are those who are very concerned about personal data security. This cohort want to keep their data safe and do not want anyone “messing” with their personal information. They are already very much engaged with cybersecurity – they are not the problem.
  2. Then there are those who are the reverse. They are not interested in cyber security. They are aware but they don’t feel at risk, and as such are not willing to spend effort on it.

Trying to “convert” the second group of employees to become champions of cyber hygiene or cybersecurity can be, for a want of a better phrase, a waste of time. Until you can put cybersecurity into personal terms for each person, it is nearly impossible to change entrenched habits and opinions.

However, if you can pinpoint which extra-professional avenues of attack are most likely for an individual’s data profile, you may be able to make progress against this skepticism. It’s about recognition of a person’s attackable surface. Concern for one’s own personal safety will always trump concerns for company safety. Or, put in analog terms, you don’t have to convince suspicious people not to answer the phone; you need to convince them not to publish their phone number in the first place. The smarter everyone is about his or her personal data, the more secure the company will be.

Security awareness training is a common corporate exercise – but is no longer enough to reduce risk. By empowering your employees to safeguard their own digital footprints – along with company data – you can start to develop really formidable foes to cybercrime.

How much control have we given up just to enjoy the digital life?

We all enjoy life in the digital age and the Internet provides us connectivity, efficiency and fun. By submitting some of our personal data into online interfaces, we enjoy significant benefits in the form of services tailored to our needs; from banking to work, ecommerce, transport, dating, social media and everything in between. But, by using our personal information, and sometimes posting it in the public domain, we have created a problem. Who owns this personal data once it leaves your keyboard? And if it is misused, who is the negligent party? It might be you.

A day in the life of data: Just how much information do you give away?

Before the development of computer databases, we had certain expectations about privacy and accepted a certain level of public disclosure of personal information. And it seems this statement still rings true. Americans say they care deeply about protecting their data. Pew Research found that being in control of who can get information about us is “very important” to 74% of Americans. However, when it comes to online, a lot of people do not consider data privacy as an important issue. The irony!

With the advent of social media and messaging platforms we offer information about our personal life freely and voluntarily on a daily basis – and we rarely realize or question it. We regularly post personal (and sometimes compromising) pictures. We share our current location (and indicate where we are not!). We share our relationship status, where we went to school, where we live, work history, birth dates, phone numbers – the list goes on.

And we don’t even stop to think about it. We are too busy reaping the benefits.

“In general, there has never been so much personal information about individuals as readily accessible as there is today with the Internet,” says Kevin Werbach, professor of legal studies and business ethics at Wharton. “However, what most of us fail to recognize is that once content is posted online, it can be difficult to maintain total control over where it is eventually used, shared, or modified.”

Personal or private – data is open to misuse

Many consumers are unaware how their data is used or by whom. They operate with an assumption of trust. But data is regularly leveraged in ways the consumer never imagined. The data a user scatters can be harvested and analyzed to reveal a wide variety of personal attributes that, while seemingly innocuous by themselves, can add up to form a skeleton key that social engineers can use to unlock real personal assets or corporate secrets. Shopping habits, political affiliation, relationship status etc., can all be used as steps in the ladder of a cybercrime.

Adding a sad face to a post about stray dogs, for example, can reveal what charities you might support. “You may not say much about your salary, but your ‘likes’ on brands or restaurants say a lot. Your daily routines and whereabouts can be deduced from your posts – especially if they’re geo-tagged,” says Maria Fasli, Director of the Institute for Analytics and Data Science, University of Essex.

And when it comes to email and messaging services, most of us blindly accept that this information is private. But privacy and the internet don’t go hand in hand. Just who, other than the intended recipient, will receive or have access to the information you provided? Will it be shared with other parties? Is it at risk of being used in ways you did not consent to?

Anita L. Allen, professor of law and philosophy at the University of Pennsylvania and a leading expert on privacy issues, says the core questions raised by misuse of the Internet are not new. “It goes way back to the general problem that people will use personal information that they can collect through surreptitious or open means to advance their interest at our expense. What is new is the ease with which information can be collected and shared, and the ease with which it can be maintained for indefinite periods of time.” So, if we know our online data, both private or professional, can be misused, who is the negligent party? Are you to blame? The more fundamental question is not whether you own your personal data. The real question is whether or not you can control your personal data once it’s out there.

Who owns your personal data and who controls your personal data?

There are definitely blurred lines when it comes to data ownership – and negligence. If you post your social security number online, it’s pretty clear that if something bad happens, you are the negligent party. But when it comes to other personal data shared or communicated, it’s not so black and white.

Way back in the 2006, Kevin Werbach, who already was concerned about data ownership when using third parties, stated, “There’s a difference between putting information on a purely public site, like your own website that’s accessible to anyone in the world, and putting something on a site like Facebook, which is a controlled, private site available only to its members,” Werbach notes. “The question of who owns the information on these sites is a very interesting one. Most have policies saying they have ownership of anything posted there, but clearly that doesn’t give them leeway to do anything they want with that information. And they have privacy policies that impose limits on how they can use that data. But there’s no simple answer as to whether the information belongs to me or to the site.” And that was more than a decade ago.

Personal Data Security: How can we better protect ourselves?

In the early days of eCommerce, it was common for some people to have misgivings about entering their credit card into a website. What has taken a bit more time to emerge, however, is awareness of the Internet’s increasing threat to personal privacy.

Today, the technologies behind websites that collect data have become very sophisticated. But this is a little like when cars first made an appearance. People stepped into these hulking, loud and very fast fun machines and there was absence of speed limits, seatbelts, and not even a thought of an air bag. It took many tragedies to change laws and promote the development of safety technologies to keep us safe. When it comes to the Internet, we are basically speeding down the highway, standing in the bed of a pick-up truck. It has been fun, but now is the time to start thinking about the parameters that will keep us safe. We are in need of digital seat belts and air bags to help minimize risk and misuse of our personal data.