Andrew Jenkinson
CEO, Cybersec Innovation Partners

I strongly believe that conformity bodies play a critical, integral role in educating and auditing organisations to ‘keep them honest’.

Having said that, confirmation of compliance does NOT necessarily mean secure. The two may seem to be entwined, however the two are very different.

Since the invention of the World Wide Web as a method for academics and the intelligence community to share information and knowledge, the WWW and Internet have grown rapidly whilst security has lagged behind. Cybercrime has increased exponentially in the 21^st century, costing the global economy more than USD 6 trillion in 2021. That makes cybercrime, in terms of monetary value, the world’s third largest GDP behind the United States and China, and it’s on an upwards trajectory.

You will hear most people say something along these lines, ‘’I’ve nothing to hide, I don’t mind who sees or reads my emails, or knows which websites I visit.’’ The majority of people remain naïve to the fact their data can, and more than likely is being captured, redirected, repurposed, and often sold.

Their data holds a lot of personal, often sensitive information. It will also provide personal identifiable information (PII) data which may include passport, driving license, national insurance number, credit cards, addresses, email account details, passwords, and even the IP address of their laptop or tablet. Think GDPR or similar compromised privacy.

Each piece of PII data can be abused, manipulated, and used for nefarious purposes. The owner/owners do NOT know until after the event when the impact of what may seem like a totally separate incident actually gained data about them ‘online’ and that data was scrapped and used, often completely unknowingly.

It’s the responsibility of tech giants to keep us safe, surely? Well yes, to an extent. However, the manufacturer of your vehicle is not responsible for how you drive.

When organisations like SolarWinds, EasyJet, British Airways, or Microsoft get hacked, it is down to them to face the music. However, that may not compensate or address the repercussions from personal digital identity theft (DIT). There may be a compensation payment, however many people’s lives can be negatively impacted over extended periods of time.

The hacking of Easyjet for example impacted 18 million customers, the majority of whom had their PII data exfiltrated. EasyJet may well be compliant and hold every certification possible in their field but were fined for security negligence. Optus 10 million customers, Marriot 300 million customers, and the Office of Personal Management (OPM) 22 million security cleared personnel’s data exfiltrated.

The numbers are staggering and billions upon billions of people’s PII data is exfiltrated annually. Much of it can reused as described above.

An abundance of products and services claim to make you secure, but many DO NOT. The marketing people simply spin yarns, and the vast majority of people know no different until they are directly impacted.

What measures can be taken to stay safe online?

I would like to emphasize two major points. The Internet was and is weaponised. To avoid being ‘scammed’ on the Internet, one must understand how to navigate it safely.

1. Never go on a ‘Not Secure’ website
2. Be aware of emails received

Websites either display a padlock in the address bar (top left) or a ‘Not Secure’ sign. Although the padlock does not confirm complete security, it does confirm the digital certificate and the website match and that data being sent from, and to the website is encrypted and using the latest protocols. If it says Not Secure, simply AVOID as chances are it may be a BOGUS website.

Everyone has heard of phishing and emails being used to obtain credentials with spurious links. NEVER open emails that you are not expecting, or that simply do not look right, without investigation.

For example, I get sent several emails daily informing me my password is expiring, or my HR team needs confirmation of something. If these things never occur or seem unusual, phone the contact, or undertake some due diligence. DO NOT OPEN THE EMAIL OR CLICK THAT LINK.

We appreciate it is NOT easy to stay safe online and you do need to seemingly be on high alert. Sadly, there are cyber criminals scouring the Internet for exposed and vulnerable people and companies. Due to a lack of knowledge and lack of discipline, these criminals find more exposed people and companies. They can simply grade the ‘victim’ for level of ransom, or value for the potential value of their data before launching easy attacks.

Let me leave you with this thought. A cyber criminal can only disrupt, cause chaos, steal your data, and negatively impact you or your company if they can gain ACCESS. If they cannot gain easy access, they will simply move on.

As John F. Kennedy said, “There are risks and costs to action. But they are far less than the long-range risks of comfortable inaction.”