Professional services giant, EY, published its Global Information Security Survey which found that only 36 per cent of organisations include cybersecurity at the planning stage of new business initiatives. Simultaneously 59 per cent of organisations have faced material incidents in the past 12 months and 48 per cent of boards expect cyberattacks and data breaches to impact business in the next 12 months.
Every day, there’s a new reminder that the internet isn’t safe. Companies from Google to Facebook to TikTok support Safer Internet Day, which was celebrated last week, and prominent politicians in the United States and Europe have spoken in its favour. This promotion is admirable, but the very name of the event suggests just how perilous the internet can be. Microsoft and Comcast aren’t advocating a “safe” internet, just a “safer” one. The implication is that the internet will always be somewhat unsafe. Some corners of the internet are more secure and better regulated than others, but anything to do with money and anything to do with innovation will attract bad actors. Anyone interested in digital payments, and especially in digital payments facilitated by blockchain technology, needs to be smart and careful.
Blockchain tokens and cryptocurrencies require their own internet infrastructure; they are usually more complicated to understand and more difficult to operate than conventional online banking with state-issued “fiat” currencies. One major advantage of blockchain technology is its extremely robust security, guaranteed by uncrackable cryptography. If your computer isn’t compromised, say by a keystroke logger or by someone reading over your shoulder, your data is impregnable to bad actors. If you’re a sophisticated user, this is a major plus; if you’re not, it can cause all kinds of trouble. If you transpose two digits in the 26-digit hash code, you can lose your funds; even if you use a wallet with passphrase functionality, loss of passphrase equals loss of funds.
- Safer Internet Day 2018: 3 things you can do for your social networks, and 3 things they can do for you…
Exceptions to best practices
Though user error like lost passcodes remains an issue, malicious hacks are more common and more familiar. In late 2018, the Marriott hotel chain announced a huge data breach: 500 million visit records were compromised, possibly by Chinese government hackers. Corporate breaches like that suffered by Marriott differ in scale and impact from individual breaches, but everyday users can learn from big corporations’ failures. In the case of Marriott, the breach originated with bad data hygiene and lax security: Outdated, unpatched, and clunky systems were left in place after Marriott acquired the assets of another hotel chain. The circumstances of the hack were unique and particular, but the lessons are universal. Security is an ongoing activity, not an accomplishment to be checked off and forgotten: A system that passes checks today may reveal vulnerabilities tomorrow.
It’s true that individual users are unlikely to attract state-sponsored cybercriminals like the Marriott heisters, but there are hundreds of thousands of hackers and criminals out there, and letting just one enter your system can be disastrous. Malware like keystroke loggers and ransom encryption programs were once the most common attacks, but with the rise of “spear phishing” techniques that impersonate legitimate entities (your bank, your email provider, your job’s IT admin), the situation has changed. As ever, you must keep your systems up-to-date and your security current, but now there’s an element of personal judgment to boot. You must recognise fake emails, even when they’re persuasive, even when they come (or appear to come) from trusted email addresses.
If you transact in cryptocurrencies, do be aware that there may be exceptions to classic privacy best practices. For example, two-factor authentication is generally considered a best practice in security as, in theory, it requires that anyone accessing an account has control of an associated phone. Dedicated hackers have, however, managed to beat two-factor setups by SIM swaps: Criminals impersonate the person they want to hack and get licensed mobile phone technicians to assign the relevant phone numbers to new phones. If you’re handling large amounts of cryptocurrency, investigating options beyond two-factor authorisation — for example, making sure your provider will not swap SIM cards — may be necessary.
New heights of hacker ingenuity
The prospect of a cryptocurrency payday, unfortunately, can drive hackers to new heights of ingenuity. In August 2019, Coinbase, one of the largest cryptocurrency exchanges in the world, announced that it had fended off an attack of unprecedented sophistication, which involved spoofed emails and multiple day-zero Firefox exploits. Coinbase maintained quality security; the attack was discovered via “a report from an employee and automated alerts.” In other words, Coinbase computer systems and Coinbase employee savvy both played parts in loss prevention.
Safer Internet Day is well into its second decade, and it runs few risks of being abandoned or abolished. There are too many hackers, too many criminals, and too many uneducated users still at large. Though the official commemoration of a safer web comes just once a year, we should make daily observance of its principles. Whether your life is mostly offline or whether you’re a high-tech cryptocurrency trader, you should always remain cautious and informed — and yes, you must run those annoying security updates. Perhaps one day the internet will be as safe as we wish it was. Safer Internet Day will have accomplished its mission when we no longer have to observe it.
Ashish Singhal, Co-Founder and CEO, CoinSwitch.co, CRUXPay