We all acknowledge that the vast, pervasive digital world we’ve built brings with it not only great new advantages, options, and capabilities, but also dire threats from criminals, sociopaths, and hostile regimes.
One thing about the digital world is that it’s completely fabricated. That means that anyone with a modicum of smarts can use, access, and manipulate this digital world—for good purposes and for bad. The guiding hope for the good guys is that they can have just a little more smarts to, hopefully, stay a ahead of the bad guys.
Unfortunately, the evidence is to the contrary. The good guys always seem to have to catch up with the bad guys. What’s even more troubling seems to be that within the good-guy community, there’s disagreement as to who should be taking the lead in fighting the crooks and hackers. Users, providers, employers, employees—all seem to be pointing their fingers at each other, claiming each other is most responsible.
It can be disheartening. Take, for example, a recent global survey of 5,000 IT security professionals by Ponemon Institute, sponsored by Websense Inc., which specializes in online security. Among its many troubling findings: 63% doubt they can stop data theft; 69% believe cybersecurity threats sometimes fall through the cracks of their existing security systems; 57% believe their organization is not protected from advanced cyber attacks; and 80% say their company’s leaders do not equate losing confidential data with a potential loss of revenue.
“The overall analysis indicates that a majority of security professionals do not feel adequately armed to defend their organizations from threats,” says Larry Ponemon, chairman and founder of the Ponemon Institute. “This challenge is further compounded by a perception that company leaders do not believe that data breaches will lead to loss of revenue. Our research has shown this is simply untrue.”
(Note: This particular study covers businesses in general and is not specific to financial institutions. Still, it’s relevant because of banks’ extensive use of third-party vendors, not to mention the commercial bank/business customer relationship.)
That’s the view from the business side. Another survey, from the customer side, by Unisys, had these results: 59% of U.S. respondents are seriously concerned about other people obtaining and using their credit or debit card details, and 57% are seriously concerned about identity theft. Nearly 60% say that a security breach involving their personal or credit card data would make them less likely to do business at a bank or store that they commonly use.
Which leads to brand damage. Says Dave Frymier, CISO, Unisys, “Organizations that ignore the risk of data breaches do so at their peril, as brand reputation and customer loyalty often depend on a company’s ability to protect personal information.”
So far, it seems, the responsibility is all on the corporate side. As an example of personal responsibility, however, consider the issue of bring –your-own-device to work. In multiple, independent studies, it’s plain that there really is no stopping employees from using privately owned gadgets to help in their jobs. With that use comes extremely serious security problems. Here are two such studies:
- Gartner Inc. found that 25% of business users admitted to having had a security issue with their private device in 2013, but only 27% of those respondents felt obliged to report this to their employer. Of those surveyed, 59% who regularly use their private devices for work have not yet signed a formal agreement with their employer outlining security requirements.
- Webroot, which specializes in internet threat detection, found that more than twice as many workers report using personal devices than those using devices issued by their employers. Of those using a mobile device for business, 60% have either no security or just the default features set on the phone.
In a perfect world, then, corporates and individuals should agree on mutual responsibility for cyber security. “For a BYOD program to work there has to be strict policy enforcement and compliant users,” says Meike Escherich, principal research analyst at Gartner.
But it’s not a perfect world and what’s more, it is becoming a complacent world. Yet another survey by Ponemon, this one sponsored by Experian Data Breach Resolution, surveyed more than 700 consumers who’d been affected by a data breach. Most—76%—said they felt stress as a result of the breach, but more than 50% did not take any steps to protect themselves from identity theft afterwards.
“Inaction may be a result of data breach fatigue, as 30% of those surveyed received at least two data breach notifications and 15% received three in the last two years, while 10% received more than five,” the survey report says.
Also, says Unisys’ Frymier, “Most consumers have been insulated from major financial losses resulting from data breaches, because those losses are largely absorbed by businesses and financial institutions. That may explain the low levels of internet security concern, as well as the large segment of respondents who said they would not change their behavior as consumers as a result of data breaches.”
The conclusion is obvious: Everybody is responsible to take positive action to guard against cybercrime. It can’t just be the other guy. And there are some indications this mutual sense of responsibility is taking hold. Malauzai Software reports a striking 450% increase in the use of its debit card management features from November 2013 to April 2014. The debit card on/off feature, with which consumers can control their card’s functionality, reportedly saw a 40% increase in new users during that time frame, indicating a sense among consumers that they need personally to exert some control over their property.
Experian’s Michael Bruemmer also notes a heightened consumer security awareness, and suggests a way for businesses to encourage it in the future: “For businesses, some of the key takeaways from the results [of its survey] are to ensure that their breach notification letters are impactful so consumers take notice and follow instructions, and to show their customers that they are concerned and will do right by them. Also, businesses should leverage their assets, such as their public relations team, to manage external communication, and to enlist expert resolution providers for identity protection and credit monitoring services so that their post-breach response goes smoothly, which will help safeguard their reputation.”
Sources used for this article include:
- Dancing With the SARs
- Physical Security at Banks Models Best Practices for Cybersecurity
- Global Political Corruption and Kleptocrats: How can we protect our U.S. financial institutions?
- Bank Deposits: The Most Important Number on the Balance Sheet
- Implications of Future Rate Changes for Cash Management Services