Every day we share personal information online willy-nilly with companies and organisations - but how sure can we be that they are actually looking after that information?
It seems that digital fingers are creeping ever-further into our lives, demanding more information, filling constantly expanding databases with user groups whose every page view, music download and restaurant preference is stored alongside bank account details and card transactions.
In the UK, there are fears that HMRC is using the move away from paper-based returns towards real-time transaction reporting to capture income and expenditure information in its minutest detail. And this raises questions not just about privacy, but also the far more tangible issue of security.
Organisations today can"t operate without holding our corporate and personal data, much of which (just look at the health tech sector) is information of the most sensitive kind.
Trust is the oil that enables economic cogs to turn, and without it very little business would be done - but the demands of the digital era mean that whereas trust may once have been a matter of mutual responsibility for mutual benefit, today it has become much more one-sided. One party holds valuable information on another, who in turn only has as its leverage in the relationship an ability to consume a product or service.
Sony, Target and the US National Archives and Records Administration are examples of organisations that have lost tens of millions of their users" records. In the UK, TalkTalk lost nearly 200,000. And in the Channel Islands, there have been instances of government employees accessing data inappropriately.
All of this reminds us that data security isn"t just about using firewalls to stop angry nerds with access to too much time and technology. Sending emails, providing financial information, uploading photos to social media, we are constantly handing over our commercial and personal data to other organisations and, in the main, we have very little idea about the levels of security protecting our information. Yet, if something does go wrong, the consequences can be alarming.
The 2011 attack on Sony"s Playstation Network resulted in the personal information from almost 100 million user accounts being compromised, the details of more than 23,000 credit cards being stolen (although no claims for credit card fraud were made) and costs to the company of over £171 million.
At a very personal level, 500 private images of mainly female celebrities were stolen from Apple"s iCloud storage system in 2014. The hackers used phishing methods to gain usernames and passwords to the accounts and went on to post the images of hundreds of people across the internet.
Under attack
Of course, these are the attacks that we know about. The reality is that attacks happen constantly about which we"re not aware. "A key is that they aren"t reported," says Matt Ferbrache, Head of Technical Solutions at C5 Alliance in Guernsey. He goes on to suggest that an EU reporting initiative could help focus attention. "Mandatory reporting would create an incentive to invest in security."
Without any pressure to report, it"s difficult to know the full extent of security breaches or which sectors they most affect. But those we are aware of tend to have one thing in common - they"re big fish and they"re in the public eye.
"Governments and banks will invariably be attacked," says Dave Newbold, Chief Operations and Technology Officer at JT Group. "Generally, it"s the visible entities that get attacked. Not being visible is a good way to protect yourself."
The momentum to move online has become unstoppable and seeing the opportunity to cut costs, governments and health systems have become eager to digitise and centralise our most personal information. The question is, do efficiency gains come at the cost of increased risk to users?
The fact that episodes of medical record theft have doubled in the US since 2010 and that 1.7 million medical records were breached by hackers in the first four months of last year suggests that it does. The reason medical data is in such demand isn"t because of a sudden criminal interest in health matters, but as part of the growing trend for identity theft.
The more detailed the information criminals have, the more likely it is that they will succeed in using your name to apply for bank accounts, credit cards and loans. This is also why stolen medical records cost over 10 times more than credit card information.
Security matters
With so much at stake, it"s surprising that security is rarely prioritised by individuals or organisations. "Security means different things to different people," says Mehul Kotedia, Director and Founder of secure vault startup, KYCme. "At one extent, there are people who don"t care enough to question email attachments. At the other end of the spectrum, how can you completely reassure people anything is 100 per cent secure."
Kotedia points out that there"s a lack of awareness among the general public, partly due to the subject"s complexity. "I think security is a difficult topic. Whilst many people think they understand it, very few want to scratch below the surface. The security industry does what it can to inform people and there are standards and trustmarks that make it easier."
An ignorance of data security issues at an individual level suggests we are leaving it to companies and governments to ensure our information is stored securely. But even here, where data breaches can damage brands as well as bank accounts, there"s a diminished sense of responsibility.
"We ought to be concerned about data security because it isn"t high enough up the agenda," says Ferbrache. "In the boardroom it"s not well understood."
Within the IT community, there"s been something of a struggle to get responsibility for information security acknowledged at board level. One way to speed things up may be to demand that security is represented around the boardroom table.
"I think it should be mandatory to have someone with IT expertise sitting on the board," says Gavin Price, Head of Operations and Business Development at Sure. "That said, more and more companies are putting experts on the board who understand the issues and take responsibility."
IT directors need to adopt a multi-layered approach to security, according to Price. "It"s about people, process, technology, regulation and governance," he says. "Continually reviewing what"s going on, ensuring you are up to date and adopting best practice."
The focus needs to be continuous because the hackers are always innovating, finding new ways to access information. "We"ll always be one step behind," says Ferbrache. "You can never be 100 per cent safe, so it"s important to have systems in place to maximise awareness. For instance, if you can detect a breach, you can react accordingly. But I see many organisations that don"t have the relevant systems to know if they"ve experienced data loss."
Best practice
In the absence of certainty, businesses need to turn to probability, and that means adopting a risk-based approach. "Protection is a function of risk appetite versus ability to spend," says Newbold. "There are a number of models you can use - such as ISO and PCI - but none are going to guarantee that you are protected. And on top of that, you"re always reliant on fallible human beings."
The fallibility of humans is often vital to an attacker"s success as phishing attacks rely on people being fooled into disclosing their personal information with fake emails or dummy websites that closely mimic those of banks or other institutions. The TalkTalk attack, for example, began with a Distributed Denial of Service (DDoS) attack that swamped the firm"s website with requests and served to distract security personnel while the hackers stole customers" data without being noticed.
Today, we live in a world in which we give away our personal information without much understanding of who is receiving it and how they are looking after it. Criminals want that information because it"s valuable, but most of us do very little to ensure it"s treated with care in spite of the fact that, as Newbold puts it, "all of us should treat personal information as cash".
So what can we do? For Price, security is a two-way street in which trust is best built by both parties. "Firms can present their approach more clearly but quality assurance standards and kitemarks do help to provide an easy way for customers to understand a company"s approach to security," he says. "We, as customers, must also take the time to read and understand what the business is offering."
As governments hurtle towards eGov and companies insist on dealing with us online, there"s no doubt that consumers should be more engaged when it comes to understanding security issues.
Clearly there"s no 100 per cent security guarantee, but time and again, some of the biggest names in the public and private sectors are shown to have failed at even the most basic security concepts. If the Channel Islands and other jurisdictions are to continue down the road to greater online services, they need to do a great deal more to gain the trust of users. After all, they have their own identities at stake.