To pay or not to pay a cyber ransom – that is the question. Or is it? Frustratingly, there is no right or wrong answer to this million-dollar question after a data breach, writes Jacqueline Jayne, Security Awareness Advocate APAC at KnowBe4.
Some may argue that if businesses backed up everything, then they would never need to pay a ransom. This is not wrong; however, part of the ransom payment involves not only the return of data, it also can include the ‘promise’ not to release the data anywhere else, such as on the dark web for others to purchase and use.
We are dealing with cyber criminals here and is there any honour amongst thieves? What’s to stop them releasing the data once the ransom is paid and then dumping it on the dark web for all the other criminals to use?
We can argue all day about whether businesses should pay or not pay, and there will never be a definitive answer.
What I would like to address are us – the humans, the consumers, employers, customers, volunteers, students and everyone else. The government, big business and all the other industry bodies are focused on the ‘who should do what’ and ‘who should get fined’ and ‘what new laws do we need’ and pointing fingers and blaming everyone.
Who is really to blame for our data being found online?
Cyber security is everyone’s responsibility and YOU – yes you – are not doing enough to keep yourself safe online and now is the time to step up and protect yourselves.
There are a few facts that I believe we, as consumers, need to accept whether we like it or not.
They are:
- Your basic data is already out there (yes it is), and there is nothing you can do about it other than apply the basic cyber hygiene (see below for what this means).
- Cyber criminals are targeting every single organisation in Australia, every day, with the goal to ‘breach the system’ and steal your data, intellectual property, customer data, personal data, deploy ransomware and more.
- The next level of your data is what you need to be concerned about. I refer to that as ‘unique identifiers’ such as your tax file number, driver’s licence, passport number, etc – all the things that are unique to you and you alone. This type of data is extremely valuable to cyber criminals as we have seen in recent breaches.
- Cyber criminals are ahead of the game. The majority of IT teams across the world, including Australia are, for the most part, doing everything they possibly can to protect against harmful cyber activity. No matter how good and advanced they are, cyber criminals still prevail – the question is why?
To provide an answer, let’s look at a non-cyber analogy for a moment – driving a car. You can be the safest driver in the world, have the most secure and safe car in the world, be driving on the best roads, supported by the best tyres – and despite your best efforts, you can have an accident.
How about securing your house? You can have a ridiculously secure perimeter, guards, alarms, locks everywhere – and if someone really wanted to break in they could tunnel under the ground to gain access.
My point here is that we, as consumers, need to accept that our basic and unique identifier data is going to be stolen. What we need to do is apply more levels of protection and basic cyber hygiene.
What are cyber criminals looking for?
As I mentioned above, there are two levels of data cyber criminals are after: basic data and unique identifiers.
Basic Data
Yours is probably available online already. Our names, date of birth, addresses, emails, phone numbers, jobs we have, credit card numbers and their expiry dates are all basic data.
Your basic level one data is probably already out there – check your emails and mobile numbers here to confirm if they are involved in a known data breach and don’t panic when you find it there.
See tips below for what to do next.
Unique Identifiers
This set of data is the next level. Medicare number, passport number, driver’s licence number, tax file number, the CVV number on the back of a credit card, or an account number for a service such as electricity, gas or phone.
It’s the unique identifiers that the cyber criminals really want. They can add it to the basic data they already have and then use it for fraudulent activities and even to steal our identity.
Where are they finding your data?
It is natural for people to feel scared and nervous when they realise some of their personal identifiable information has been stolen. Our data is valuable and it’s everywhere.
Don’t believe me? Consider your basic data and unique identifiers listed above and then think about the amount of data you have shared over the years, and the information you have shared during day-to-day life.
- LinkedIn, Facebook, Instagram, Twitter, TikTok, etc
- Job applications over your career
- Volunteer forms
- Credit applications – credit cards, mobile phones, retail cards etc
- Rental applications
- Holiday reservations and bookings
- Surveys
- Competitions
- Websites
- And everything else
Everything a cyber criminal needs is already there.
The big question is: ‘Is our data actually safe?’
And the answer is: yes and no.
Yes, because the majority of organisations do everything they can to keep it safe because it’s in their best interest to do so. No one wants a data breach, just like no one wants a car accident.
However, let’s for a moment put ourselves in the world of a cyber criminal. They know how valuable your data is and the more data the better. They could:
- Spend months and years collecting it one piece at a time from multiple areas, carefully creating a master spreadsheet; or
- Buy some basic data that is already available, create their own malicious software (or buy it from the dark web), and send millions of emails out knowing that someone will engage with that email, giving them access to millions of people’s data; or
- Look for vulnerabilities in technology to gain access to the same systems with that same data.
It makes sense that they will focus on the big data haul because it’s more financially beneficial for them.
How will I know if my data has been leaked or stolen?
Are there any tell-tale signs that someone has your data?
If your data was part of a data breach, the organisation in question will inform you and provide you with the details you need to know. Outside of that, pay attention to:
- Strange activity on your accounts.
- An increase of incoming communication such as emails, calls or SMSs from companies you haven’t dealt with before.
- Your basic data or unique identifiers being used in phone calls, SMSs or emails and you are being asked for confirmation or more details.
What to do if you’re caught in a data breach
What should you do when you find out your information has been leaked, stolen or is already part of a previous data breach?
The first thing to do is to act quickly. Don’t wait a week or two; it’s better to be safe than sorry.
- Change all your passwords (yes all of them) and never, ever, reuse a password.
- Seriously consider a password manager tool (see tips below).
- Enable a second authentication level with Multi Factor Authentication on every login that you can (see tips below).
- Never use your work email address for a personal login (bank, social media, MyGov, etc) – only use a personal email address.
- Monitor all of your bank accounts for suspicious activity.
- Check activity on credit applications under your name.
- Follow the guidance from the ACSC and the Office of the Australian Information Commissioner.
- If you think someone has stolen your identity, go to www.idcare.org.
- Keep up to date with all the latest scams at Scamwatch.
- Communicate directly with organisations. For example, if someone calls you claiming to be from your bank or the ATO, politely tell them you will call them back and ask for a reference number. Ignore all links or attachments in SMSs or emails and call the organisation directly yourself, using official channels.
Basic cyber hygiene tips
1. Get a password manager
If you have more than 20 login combinations of username and passwords, get yourself a password manager tool so you only have to remember one strong passphrase.
There are many to choose from and you can start your research here.
2. Enable Multi-Factor Authentication (MFA) with as many logins as possible
MFA gives you a second layer of authentication and protection from cybercriminals. It means that once you have entered your username and password (first authentication), a second authentication is required to access your account or app.
There are a few options when it comes to MFA. The best option for most of us is using a third-party authenticator app, such as Google Authenticator or Microsoft Authenticator.
3. Update software
This includes the software that runs your devices, laptops and all the software and apps you use on all your devices.
4. Back up your data
Make sure you take the time to back up your important information, data, photos and memories
5. Be extra vigilant
- If something sounds too good to be true, it probably is.
- If in doubt, don’t.
- If incoming communication (phone calls, SMS or emails) spark an emotional response (fear or urgency), STOP and take a breath. It’s more than likely a scam or attempt to trick you. It’s better to be safe than sorry.
- If it quacks like a duck and walks like a duck – it’s probably a duck.
- As we say in the world of tech: TRUST AND VERIFY … always.
This article was first published on Flying Solo, read the original here.
Want more? Get our newsletter delivered straight to your inbox! Follow Kochie’s Business Builders on Facebook, Twitter, Instagram, and LinkedIn.
Now read this:
‘Good enough’ is no longer enough when it comes to identity security in business
Trending
Weekly business news and insights, delivered to your inbox.