“Your business could be next”. This was the industry response following the latest online security breach affecting the National Lottery. The attack, and others like it, serves to highlight the constant threat to customer data and the worrying vulnerability of personal information, such as user profiles or financial records. Data breaches are not just breaches of security, in terms of corporate responsibility they represent a damaging breach in trust.
The situation has become so serious that some argue there are just two types of company today – those that have been hacked, and those that do not yet know they’ve been hacked. Surprisingly, many companies are simply hoping to avoid a data breach, not fully realising that the probabilities point to them falling victim to some form of data loss - sooner rather than later.
But it’s not just the immediate loss of data we need to be concerned about - it’s the consequences this has for us, as users, and the effects on our online behaviour which is more alarming, as they threaten to redefine our relationship with the connected world.
None of us, I’m sure, would be happy working for a company that had a policy of sharing confidential staff records with complete strangers and all of us would be devastated by an identity theft caused by a data breach at an organisation we once did business with. This betrayal of trust has destroyed users’ confidence in companies and in their ability to protect data. As a result, according to a recent global SafeNet survey, nearly two thirds of 4500 respondents across five of the world’s largest economies would never, or were very unlikely to shop or do business with a company that had experienced a data breach. In a further study, as many as 59 per cent of users admit they would likely not do business with a company which had suffered a data breach.
This trend is having a profound impact on our online behaviour. Having trust in the transactions we perform – commercial, social or otherwise – is critical for growing the digital economy and a prerequisite for a globally connected Internet. Any erosion of trust is therefore a destabilising threat that goes to the very heart of the Internet.
I was recently on the steering group for the Internet Society’s analysis of their impact; the resulting security report drew on a significant study by Ipsos on behalf of the Centre for International Governance Innovation. It found a long term trend; we are becoming more fearful in using the Internet.
Without trust, those online are less likely to volunteer their personal information and those who are not yet online may choose to stay unconnected. Whilst much is made of the reputational implications for a business, some of the responses to the recent National Lottery breach point to a loss of faith. As one hopeful lottery player said, “it just makes me more inclined to go to the shop with cash… it’s worrying when they can get hold of so much of my personal information.”
So what can be done?
According to the Online Trust Alliance, as many as 93 per cent of all breaches to have occurred could have been prevented if the correct counter-measures were in place. And when a breach does occur, it seems that steps are not taken to avoid harm, such as minimising the amount of data stored and encrypting the data that is kept.
Many companies can and do seek advice and are proactive in protecting themselves; there are relatively easy ways to invest in the latest security improvements. But businesses could be doing much more to minimise their exposure to potential attacks.
Given the complexity and the transactional and cross-border nature of the Internet, it is essential that all those involved in the digital economy play their part in helping to combat the data breach threat.
This includes making organisations more accountable for data breaches, making information security a priority and increasing transparency around security incidents around the world.
Five key recommendations, contained in the Internet Society’s recent 2016 Global Internet Report, help to map out a way forward for tackling the data breach challenge specifically:
- Put users -the ultimate victims of data breaches- at the centre of solutions. When assessing the costs of data breaches, include the costs to both users and organisations.
- Increase transparency about the risk, incidence and impact of data breaches globally. Sharing information responsibly helps organisations improve data security, helps policymakers improve policies and regulators pursue attackers, and helps the data security industry create better solutions.
- Prioritise data security – organisations should be held to best practice standards when it comes to data security.
- Increase accountability – organisations should be held accountable for their breaches. Rules regarding liability and remediation must be established up front.
- Increase incentives to invest in security – create a market for trusted, independent assessment of data security measures so that organisations can credibly signal their level of data security. Security signals help organisations indicate they are less vulnerable than competitors.
With more and more connected organisations and services, the opportunities for further loss of trust and confidence by having our personal data taken and breached is at an all-time high. We are at a turning point for trust in the Internet. Online security is not achieved by a single treaty or piece of legislation; it is not solved by a single technical fix, nor can it come about when companies or sectors of the economy ignore the fact that security is important.
We need to address these problems closest to where the issues are occurring. That means initiatives across government, business and among individual Internet users as part of a collective, global effort. This includes companies taking their responsibility by handling users’ data in responsible ways.
Think about our shared civic duty to keep our streets and cities clean through the use of refuse collection and litterbins and how this results in a clean, sustainable environment in which to live. Internet security demands the same behaviour from us all.
Olaf Kolkman, Internet Society
Image source: Shutterstock/Toria