* Article updated August 10, 2022, with new insights and figures.
2020. A year that can best be described as awful and as up and down as the Reddit-fueled shares of GameStop. With COVID-19 during 2020, we have hit some pretty hard lows, which is best summed up by the email leak of WHO employees. 450 WHO employees' emails were leaked by hackers and then used to start a false COVID-19 relief fund to try and scam the public, that’s pretty low by most people’s standards. But it also highlights the sophistication of hackers and begs the question of what companies can do to protect their employees' and customer data?
The dawn of the cybercriminal
Pandemic-era living conditions have forced work life into the home, shifting the workspace from a cushy office and human interaction to the couch and coffee table of your flat, making every day casual Friday. It's not just work-life that has changed dramatically, consumer purchase habits have also shifted from the brick and mortar to the web.
E-commerce, to say the least, has grown like Jack’s magic beanstalk, with Nielsen data showing that home deliveries increased 39% during lockdown and curbside pickups jumped to more than 95%. Not to mention e-commerce as a whole is expected to grow 20% year over year (YoY) during the following years.
[Related article - Top 50 Digital Trust & Cybersecurity Companies]
The advent of COVID-19 led to the emergence of new business models, where shopping, work, and financial transactions are being conducted more than ever online, and it's no surprise that cyber criminality has spiked during 2021. FBI cybercrime statistics show that this type of crime has led to financial losses of approximately $6.9 billion in 2021, an increase of $2 billion compared to the year 2020.
A strong example of our vulnerability to cyber attacks is the 2020 security breach at the Marriott hotel, which led to the personal data disclosure of more than 5.2 million hotel guests. MGM had a similar situation the previous year when 142 million guests' records were leaked. And it's not just the major players or big corporations that are at risk, 43% of all cyberattacks target small to medium enterprises (SME). Data leaks in such situations usually involve sites with unsecured website connections, which is one of the most common reasons for personal information leaks to third parties.
It is little wonder why people have become increasingly engaged and concerned about their personal information and how companies handle, store, and secure consumer data. The adaptation and creation in the last couple of years of GDPR and other similar legislation highlight the public, political, and corporate concerns over privacy. And for our non-European compatriots, GDPR is the EU’s data privacy protocol that all companies have had to comply with since 2018.
Practical ways to secure customer data
Here is the rundown on the practical, and maybe obvious ways companies can upgrade their data security, which is broken down into six sections.
Not all employees need access to every little nook and cranny of your company, compartmentalize a bit. Only give the appropriate access required for the position to each employee.
The same can also be said for internal networks. Fence them off internally from one another through firewall protection. This will make it harder for cyber criminals to wreak havoc on your business.
To imagine this, think of your backend as a herd of sheep. If you make just one massive fence around your herd, all a wolf has to do is jump the fence and have itself a free sheep buffet.
But, if you segregate your sheep and fence them off into smaller groups, that wolf will have to jump a lot more fences making it harder to sink its teeth into more of your herd.
As the saying goes, practice makes perfect. Secure your company's network by testing and stressing it to see where the cracks are. It may not be a bad idea to bring in a cybersecurity firm to conduct an audit for you.
When using any third-party apps, audit those as well and find out what they may be doing with your data. Due diligence here is the locksmith to your cybersecurity door.
When using plugins, make sure that they are constantly updated to reduce vulnerability and protect consumer data from a breach by hackers. This may seem obvious, but it's a point worth stating when you consider one of the largest CMS platforms, WordPress, and their plugin vulnerability.
WordPress is used by roughly 75 million websites and over 90% of all vulnerability in this application stems from plugins. That’s a lot of potential websites, and companies left vulnerable by outdated or vulnerable plugins. Although managed WordPress hosting services can provide additional protection to customer data, due diligence is key in this case again.
Patches, firewalls & Encryption
A network lacking an update is a vulnerable one. Patches can easily be neglected or forgotten, as most intrusions on consumer data occur when a patch already exists. Consider patch assessment tools and automated software testing that can help keep your network up to date and detect malware automatically.
Out of all the types of firewalls out there, web application firewalls or (WAF) can secure company data against DDoS attacks and allows for customization options, such as blocking traffic inbound from users outside your delivery zone.
Now finally, let’s look at encryption. Encryption is the figurative lock and key when protecting consumer data. Make sure that any sensitive data is encrypted, regardless of where it is being stored or transferred.
Methods for encrypting your connection include Virtual Private Network (VPN), Secure Sockets Layer (SSL) or Transport Layer Security (TLS). VPN services can help you secure your online activity by hiding your IP address. One example is an SSL certificate that will encrypt personal data in the payment processing transaction. This can help protect consumer data, especially if your company uses a third-party application to process the transaction.
It also depends upon the type of SSL certificate you choose for your website security. All SSL offers the same level of encryption, but the number of domains plays a significant role in choosing an SSL certificate.
Human error & device control
Hey, everyone makes mistakes. That just comes with the territory of being a Homosapien. To ensure a mistake doesn't include a massive data breach or intrusion into your company's network, make sure your employees are properly trained to prevent and react to cyber-attacks or breaches.
It is also not a bad idea to implement a device control strategy to monitor what removable devices are being used on your network and ensure that devices on your network, such as laptops and phones, are free from viruses and all other types of malware. This can help prevent your business from becoming the next big sieve of data leakage, and in case of a leaky end, it will make it easier to root out the source and stop the bleeding.
Strategizing a plan B
Preventative measures should be the first course of action or so-called 'Plan A’ of security measures to protect customer data. With everything else in life, it is always smart to have a 'Plan B' for when things go off the rails, and cybersecurity here is no exception.
Plan for the worst, hope for the best and make your disaster plan part of your master plan. Create data back-ups and drill your employees in different scenarios and how they should react and steer the ship to safety.
You wouldn’t want to sail without a life raft? So plan for disaster, and even if things go a tad array, you have a life raft that can help float you to safety.
Innovative security in 2022
Now that we have covered the practical, let’s get into the meat and potatoes portion of the article or lentil and potatoes for your vegans. The cybersecurity innovation that companies can start to implement or consider for this year and the future, such as blockchain, AI and Machine Learning, and Digital Twins.
Goodbye weak links, hello blockchain
I think by now, everyone has heard of blockchain in some sort of capacity, i.e. Bitcoin. What makes blockchain so interesting is its inherently secure structure. Every ‘block’ in the data chain is linked to the original block or what is referred to as a ‘genesis’ block by cryptography. This makes blockchain decentralized and a system that is incredibly resistant to holes in its armor.
There are two different types of networks, public and private blockchains. A public blockchain network offers the user anonymity, while a private blockchain is far more exclusive and invitation-only, which makes it better suited for internal use in business.
IBM has compiled a list of considerations for companies to see which blockchain network is best for them and how to operate them efficiently. However, as the blockchain story unfolds there are some caveats to consider.
For instance, to complete a transaction in a blockchain system, users must have a 'private key' to prove their virtual identity. This key is also necessary to complete the transaction, Just think of it as a virtual ID Card and signature.
Where user data can be misused is if someone were to get a hold of your private key and essentially steals your blockchain identity. Another issue with blockchain lies in its transaction ledger. Regardless of user anonymity, all transactions can be accessed and viewed through the ledger, which is not ideal when transactional user data has to remain private.
To supplement this need for a private ledger, Confidential Computing comes into play. Confidential Computing allows a user or third party to analyze the transactional ledger without exposing sensitive user data, keeping user anonymity through the blockchain network and transactional ledger data private. A ‘have your cake and eat it too’ cyber security innovation for blockchain and companies in the new year.
AI & machine learning
AI, hopefully, is not the apocalyptic scenario that the movie terminator predicted. AI and Machine Learning (ML) is just simply captivating. The concept and the sheer rate of development and evolution of the tech is probably the reason behind all the conspiracy theories and media surrounding AI.
But, going back to the real world, AI and ML have and will have even more impact on customer data security as the technology advances. AI and ML can help predict patterns of malicious intent, such as phishing, spear phishing, etc. and prevent these attacks from happening.
Not to mention, AI can comb over massive amounts of data far more efficiently than a human ever could, freeing up time for cybersecurity teams to focus on other workflow areas.
The biggest drawback to AI and ML is the concerns over data privacy and security. You may be thinking, wouldn't AI be ideal to handle personal data? It's an algorithm, not an error-prone sapien'. The issue, however, lies in the development and learning stage.
To train the AI and ML models requires an 'Everest' amount of data to be amassed and centralized. This is what feeds public and private concerns over potential cyber attacks, the whole ‘eggs in one basket’ scenario.
To champion this initial hurdle to customer privacy, Federated Learning has been proposed. Federated Learning is a concept that allows for algorithmic learning to occur over a multitude of devices, decentralizing data and creates a framework where data does not transfer through or is shared between devices. A seemingly huge resolution in consumer data privacy and security in the GDPR age.
[Related article - Data Privacy Day: What to Know Going Into 2022]
In essence, Digital Twin technology is a simulation model set up so that your company can test its cyber security software. It is a model that integrates AI, ML, and IoT to create digital replicas of its physical twin that learn and change over time. This allows cyber security teams to test their software against attacks using a simulation so that in turn, they can develop increasingly efficient security software.
All this sounds promising, but a major drawback is not in the tech itself, but rather on the human side of things. If someone were to obtain a digital twin of your company's security software, then it is essentially a treasure map to your back end.
Innovation for the future, what's next?
So what’s next in the tech pipeline for customer data security? These kinds of questions are always hard to answer and the potential is endless, but there are definitely some standouts that seem viable and downright interesting, such as Postquantum Cryptography and Homomorphic Encryption.
Postquantum Cryptography is one of these necessary stepping stones cyber security will need to take in the future. Quantum computers may not be here now, but years down the line when they do go live, they will theoretically be able to crack asymmetrical encryption with relative ease. Seemingly becoming the hacking equivalent of a ‘skeleton key’.
Lattice-based cryptography and SIDH look to be some of the most promising solutions to the quantum computing era but are an area that still needs much development. On the other hand, let's talk about Homomorphic Encryption.
In a nutshell, Homomorphic Encryption allows data to remain encrypted while it is being 'handled'. What this means for companies is that now a third party, or employees, can handle consumer data without knowing the contents of what's inside. It is even safe from quantum computing hacking.
Seems like a perfect answer to privacy concerns, but there is one major drawback, it's still a technology that is impractically slow to implement in a business setting. Hopefully, with further development, this tech will become the gold standard of how companies protect consumer data.
By finding startups with innovative technology that complement a corporation’s unique needs, the Valuer AI platform can help organizations adopt the most compatible solutions.
Innovation and practicality go hand in hand. There are plenty of cybersecurity strategies to implement and practical things your company can do to protect customer data, and keep one eye on the future to stay ahead of cyber criminals and hackers.
Cyber-criminality is going to become increasingly advanced in the upcoming years and innovation in cyber security is the only way to stay on top. With Valuer's data-driven AI platform, we can help pair the right innovative solution and tailor these ideas to the needs of your company.
Because cybersecurity is a virtual arms race and to survive you must adapt – thanks, Darwin.