[BreachExchange] Perceived versus actual risk: who is most at risk from cyber-crime?

[Audrey McNeil]

https://www.scmagazineuk.com/perceived-versus-actual-risk-
who-is-most-at-risk-from-cyber-crime/article/706321/

The old saying goes “in this world nothing can be said to be certain,
except death and taxes”, but it can be argued that data breaches should be
added to that list. With an endless stream of headlines detailing the
latest major organisation to lose its data either due to cyber-attack or
human error, consumers can be forgiven for thinking that breaches are now
just an unfortunate part of everyday life. Whether it's Equifax, TalkTalk,
Yahoo or one of the hundreds of other companies which has disclosed data
loss, we've reached a point where consumers can no longer take the security
of their data for granted.

Expecting consumers to shoulder some of the responsibility of data security
may seem unfair, but even for businesses with limitless resources, no
cyber-security strategy is 100 percent watertight. The most comprehensive
cyber-security setup can be undone by one person accidentally pressing the
wrong button, clicking a link they shouldn't or, as we've just seen with
Equifax, failing to patch – data is always at risk. So, the question is, as
a consumer, where do you start? Most don't have the time, knowledge or
resources to properly protect themselves, so they need a simple way to
understand where they are most at risk and what to do to reduce it.

Who has more to lose?

It's assumed that criminals target the wealthiest individuals or biggest
companies simply because there is more to take, with history and
Hollywood's exaggerated examples shaping this perception. For example, The
Great Train Robbery, The Hatton Garden job and numerous other heist films
have shown us that targeting one big ‘mark' can deliver high returns.

This assumption has resulted in some believing that they won't be targeted
by criminals as they don't possess the resources to attract attention. They
argue that the risk is higher to those with more; but this is just
perception. As the frequency of cyber-attacks continues to grow, fuelled by
the proliferation of simple-to-use tools available on the Dark Web,
criminals don't care about targeting specific individuals. Their attacks
using phishing emails, malware and other techniques is indiscriminate. The
game has changed completely. It no longer matters if you're an employee of
a multi-national, a small business owner, a wealthy individual or someone
less affluent, the chances of you being targeted by a cyber-criminal are
similar.

Therefore, consumers have to look at things from the angle of actual risk
rather than perceived risk. A wealthy person could be defrauded out of
£10,000 and not care while someone living close to the line could be
distraught over losing £200. The actual risk of cyber-crime can be greater
to those with limited resources and they should be just as vigilant – if
not more – particularly when many precautions are just a case of being
security savvy in the online world.

Consumer cyber-defence

Just as a company uses credit monitoring agencies to measure the risk
associated with doing business with another firm or new customer, consumers
need to evaluate their own levels of risk that come with being online.

The first port of call is to understand whether personal information has
ever been lost in a breach. If they have, consumers know the risk of them
being targeted is already increased and they may need to change passwords,
particularly across accounts that share them, or even take more serious
preventive measures such as taking out personal cyber-insurance.

The next step is to understand the significance of what's at risk as this
changes what the implications could be. For instance, a stolen email
address can lead to spam email and phishing attempts, while sensitive
personal information – such as the social security numbers lost in the
Equifax breach – can have more serious outcomes.

It's also important to recognise that the compromised information could be
used potentially years after the initial data loss took place. Therefore,
it's also important for individuals to regularly check to ensure they are
aware when their details have been compromised, as businesses are not yet
required to disclose such information to consumers. That said, this will
change when the EU General Data Protection Regulation comes into force in
May 2018.

Of course, online safety isn't just about responding to breaches, it
requires a persistent, proactive effort. A person can do plenty of things
to keep themselves safe, such as installing anti-virus and firewalls, using
a password manager to ensure passwords are strong and regularly updated,
keeping software and web browsers up-to-date, and restricting how visible
social media accounts are to non-connections – they all help to mitigate
risk. The issue is that many see these sort of steps as complex, but
they're really very straightforward when the right tools and guidance are
provided.

Ultimately, as more companies fall victim to cyber-crime, more of the
responsibility for cyber-security will be passed down to consumers. This
will come as a surprise to many who expect the security of their data to be
guaranteed by businesses and have only a basic understanding of their
cyber-risk as a result.

Firms must help to address the lack of awareness around personal cyber
protection and empower people to protect themselves. They must get
consumers to understand who is most vulnerable and where, so they can
ultimately do something about it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171127/4f8b4840/attachment.html>