Submitted by James Austin Bynoe, International Cyber\IT Security Expert, Co-founder of the Caribbean Cyber Security Center
Using the Internet responsibly […]and safely is an ever-increasing challenge for many of us, no matter how old, young or techno-savvy you are. For most, the Internet
has woven its way deeply into many aspects of our daily personal and professional lives and continues to grow. However, whether you “understand it or not”, the Internet ever-connectedness we crave has many risks and false expectations associated with its use, particularly with data privacy in mind.
Data privacy (or data protection) is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them. An unfortunate reality in understanding data protection, and the impact of associated failures, is that often data breaches are nameless faceless crimes, as compared to the more tradition crimes. This lack of understanding has made it difficult for many regional public and private sector leaders to grasp its seriousness and the overall impact on regional economic stability and development. In simple terms, as data moves across Internet the responsibility for the protection of that data is shared by various system owners across a wide range of Internet infrastructure, data storage platforms, and connections.
With that said it is simply unrealistic to expect that your data will be always protected — in motion or at rest. They are simply too many technical, management and operational data protection security controls that can fail, do fail or that have never been put in place by system owners. Within your individual control, the primary method of ensuring the protection of your personal data remains “not to share it in the first place” and that includes on social media, as cyber predators often use knowledge of your social media activities to profile and target you for attack.
Many of us in the Caribbean are also simply too quick to provide personal data online without consideration for the legitimacy or security posture of the online requestor. Additionally more of us are using the Internet to perform important business and financial transactions on home or work PC’s with a lack of consideration for whether the Internet device being used has been updated appropriately from the operating system and anti-virus protection perspectives. The irony of this failure to update systems is interesting as often the updates are “free”, and simply need to be installed. As an IT Security Auditor, we routinely come across many systems that have not been updated for months or even years, which plays right into the hands of cyber predators who search “daily” for just such systems to exploit.
Depending on the tools used it can take a hacker minutes to identify weaknesses or vulnerabilities across an entire range of business, organizational or government systems. Likewise for the typical home PC/mobile device, system weaknesses or vulnerabilities can be identified in seconds. Outside of your control, where your personal data is being stored and maintained by businesses, organizations and governments, the expectation of data privacy parallels the cyber\information security maturity of the entity with it. Unfortunately in spite of a significant rise in cyber-crime activity in the Caribbean in the last two years, many public and private sector businesses, organizations and government leaders are failing to proactively invest in the implementation of international best practices and standards for data protection. Many are failing to see the return on investment (RIO) in investing in effective data protection, until a major data breach occurs.
The growing news of global and regional data breaches has simply not been enough to “trigger” many leaders into action due to a “nothing has happened to us yet, so why invest in it “mindset”. This shortsighted mindset in many ways is like shooting themselves in the foot, as it has been proven worldwide that it typically cost 10 times more to recover from a data breach as compared to proactively investing in data privacy controls. In some cases, the reputation damage to a business, organization or government caused by a data breaches are very difficult to recover from if at all.
Interestingly enough much of today’s IT management focus on data protection has been from the Internet facing side of the equation, however if you take a look at a few of the major globally reported data breaches very often they occur as the result of the “insider threat”, where employees with access to sensitive or private data intentionally or unintentionally disclose/misuse it. From the unintentional perspective, ineffective, inadequate, or non-existent roles based IT security awareness training is often one of the main root causes of many data breaches. From the intentional perspective, ineffective personal screening, or assignment of too much system rights and privileges to staff that do not have a “need to know” are often key contributing factors in data breaches. Additionally, as a key data protection security control, many organizations are failing to implement account management processes and procedures for the timely removing or disabling the accounts belonging to former employees. As a result of this account management shortcoming often we see access to sensitive data by former employees remaining active for many months or even years.
Based on what we see as auditors it is clear that the main cyber challenges facing the region is a significant lack of regional cyber/IT security awareness, and adherence to international best practices and standards. To make matter worse the region is also still lagging behind in the passing of a comprehensive set of cyber security laws and legislation, which in many ways is needed to force the hands of many public and private sector leaders to get their cyber security houses in order. Additionally it is important that the region begin to play an active role in participating in international fora related to industry best practices and standards with key industries like tourism in mind, and regional capacity building.
It is a cyber\IT security fact that there is no such thing as a perfectly secure system, as even firewalls can be compromised with the right time, effort, tools, motivation and skills. Likewise since there is no such thing as a perfectly secure system, by extension there is no such thing as perfectly secure data. It is also important to note that even hackers and cyber criminals have data privacy concerns, however judging from the fact that less than 2% of them are every caught or prosecuted for cybercrimes, they clearly are much better at it than the rest of us. So to protect your data, I am not suggesting some form of Internet technology retreat or fear of an Internet planet. What I am suggesting with regard to data processed by businesses, organizations or governments that are out of your control, you are well within your rights to demand that investments in “protecting it” are made in a proactive and sustainable manner.
Likewise from the individual data protection perspective, I suggest more responsible use of the internet (at home, work or play), and that you treat your personal data like you treat your purse or wallet: (1) don’t let people you don’t know have it, (2) always know where it is, (3) only share it with trusted sources, (4) and if it get gets a hole in it repair it (i.e. system update) or get a new one.