Are You Aware of the Risks?
These days, it’s pretty hard not to pay attention to cybersecurity. Unless you have gone “off the grid” and stopped reading news articles, following social media, checking your email, listening to the radio, or watching the news on television, there’s a cybersecurity event nearly every day. The big question becomes this: do you believe that identity theft or fraud won’t happen to you? In the event you believe your personal risk is low, the Breach Level Index informs us that over 9 BILLION data records have been lost or stolen since 2013. There are only 7 billion people on this planet, and about half of us are connected to the internet, meaning that the odds are your personally identifiable information has been lost or stolen at least twice.
In order to raise awareness about the importance of protecting yourself from cyber risks, the Department of Homeland Security has identified October as National Cybersecurity Awareness Month. This cybersecurity awareness program offers good information on how to protect yourself and what to do if you are a victim. All this focus on cybersecurity risk is great, but are you acting on the information?
Many consumers hear the information and may even believe that cybercrime is on the rise, but many individuals simply don’t understand what they should do or if they should do anything. How can your organization help raise awareness of cybersecurity issues with the customers you serve?
Another Cybersecurity Data Breach! What do I do?
While many people scurry around to figure out what to do with the latest published cybersecurity data breach in the news, the loss of customer information is not new and happens more often than the average consumer realizes. Major cybersecurity breaches have been going on for years, and some are more newsworthy than others. The latest major news story is that of the Equifax data breach, which included the loss of 143 million Americans’ Social Security Numbers, birth dates, and addresses along with 209,000 U.S. consumers credit card numbers, names, and addresses. The reality is if consumers had acted to protect their personal information years ago, then every new data breach would become a reminder to verify that the protection process in place is still working.
The Equifax data breach is huge by itself, but it is the tip of the iceberg. For years there have been data breaches at many large companies and government agencies that maintain personal consumer data. The fact is there is a good chance that most consumers’ personal data has been compromised and likely has been for years. The Equifax data breach news has made a lot more people aware that their personal information may have been stolen, but there have been many data breaches of personal consumer information over the years, and these breaches are not going away. This most recent news is just in time for Cybersecurity Awareness Month in October.
What Is My Responsibility?
Your organization may be aware of the cyber risks and may know a lot about how to protect its data. But are you sharing this information with the people at work or the customers you serve? Due to IT and Cybersecurity-related regulations, financial institutions use security standards to detect, protect, and respond to cyber events. The financial industry is protecting nonpublic customer information and educating employees and customers by documenting and implementing risk assessments, policies, programs, procedures, testing, and training programs. Some refer to this preparation as a forced compliance. But as consumers, we want this compliance to protect our finances and our personal information.
You should consider options to provide training not only to employees but also to consumers. Training helps employees and consumers alike learn how to protect themselves and to know what to do if they are affected by a cybersecurity event. What do other businesses do to detect, protect, and respond to cyber risks? It can be a business juggling act, but the answer may be, not much. There are several business decisions to make in the process of managing cyber risks including time, resources, and money to build documented policies and processes that protect the business. The process may be viewed as an unnecessary cost to the business, but these costs will likely be cost-beneficial over time. If a business is not forced to implement security standards or does not see the value of implementing these standards, the business may not implement them. It is not a matter of if a business will have a data breach, it is a matter of when and how will the business recover.
Every business should evaluate cyber risks and budget the time, resources, and money to follow security standards and make sure employees and customers are aware of the risks and how to protect the business and themselves. Cybersecurity awareness goes beyond being aware; it should inspire action, and it is everyone’s responsibility to act. Those of us who are more than just aware of cybersecurity should share with others on how to take that action or where to find the information needed to take that action.
How do I Secure Myself?
Social Security numbers can be stolen and should not be a part of a process to identify someone’s identity or to gain access to bank accounts, insurance providers, medical information, or credit cards. There are at least 143 million Americans that agree. We need to move past this authentication dinosaur and start using multifactor authentication methods in our daily lives. Multifactor authentication may not be as convenient, but it is more secure and provides us a better way of protecting information.
There are many helpful websites and articles to teach consumers how to protect themselves. You should research how to implement a credit freeze with the credit bureaus, as well as how to manage the freeze and thaw processes. A credit freeze will stop potential creditors from viewing or pulling your credit unless you thaw your filing, allowing a creditor to pull the credit file. The process keeps you in control of your credit. While a credit freeze will not stop another credit bureau data breach, it may stop breached data from being used to open credit in your name.
Other good security practices for protecting your information include:
- Maintain updated security tools on your internet-connected devices
- Patch your hardware and software applications regularly
- Use multifactor authentication settings on your accounts
- Learn how to recognize phishing emails and social engineering attempts
- Manage your social media content and review it regularly
- Use secure browsers to access the internet
- Backup your data files on your devices
- Regularly monitor your credit report and public record changes
Every American is responsible for their own security and should act if they have not already protected personal information.
Written by: Jeff Spann
Senior Information Security Consultant
Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.