Current Issue

With cyberattacks becoming an all-too-common occurrence, the question of who is responsible for prevention has started to evolve. Cybersecurity efforts have traditionally been the responsibility of the organizations and financial institutions that hold  data, but with so much at stake from a breach, consumers now have a role to play as well.

When cyberthreats first began to materialize, government led the charge for cybersecurity. Government agencies came online sooner than businesses and individuals, with computer systems that were (and still are) a treasure trove for threat actors. As the first sector to be targeted by adversaries, this fueled a widespread understanding among agencies about the importance of protecting their assets and educating their workforce on cyber hygiene. Government assumed responsibility for protection and education.

As the commercial side came online the same pattern followed. The financial services industry was one of the earliest adopters of cybersecurity technologies and best practices. Afterall, money is to cyber criminals what honey is to bees, so they had much at stake and had to take a proactive stance. To assist with the effort, cybersecurity experts from the government began moving to the private sector, bringing their security practices with them.

Not long thereafter, landmark breaches of household name brands like Michaels, Target and Home Depot put cybersecurity front and center for consumers. These companies, and countless others that have been breached, work with credit card companies to reimburse consumers for any fraudulent charges and assume the cost for notification, credit monitoring and other services. They also feel the impact of financial and reputational damage that comes from customer distrust. Some of the latest research finds that payment card fraud now costs banks and merchants nearly $23 billion a year and rising.

Initially consumers were not provided adequate tools and education to protect themselves, but that is no longer the case. Unfortunately, not all consumers take advantage of these resources. For example, many of today’s banking, email and social media services offer security tools, like two-factor authentication (2FA) as part of a personal account setup. But because 2FA is not usually required, many people tend to err on the side of convenience and do not take enable it. Individuals also compromise their security by over-sharing on social media, making information public that attackers are using to launch targeted spear phishing campaigns. Password reuse is also a huge problem. A recent report that studied 28 million users found that 52% have the same or very similar passwords across all their services, making their accounts easily hackable. Many even reuse corporate credentials for personal accounts, putting their employers at risk. Individuals are creating significant and unnecessary vulnerabilities.

Much more work still needs to be done to educate and empower users to make informed decisions and mitigate their risk. As more organizations provide individuals with tools and information to protect themselves, individuals may be ultimately required to adopt these preventative measures and perhaps share in the responsibility when a breach happens.

Instead of waiting for some type of policy change that spreads the responsibility for a breach more broadly, we need to do more to address the consumer education gap and, in so doing, strengthen security for all. Here are a few tips for consumers that can help bridge the gap:

  • Always take advantage of the security measures the companies you interact with offer, like 2FA.

  • Use password managers. These applications generate passwords for you, so you can have a different and unique password for every online account without having to keep track of passwords yourself.

  • Do not answer security questions truthfully; through social engineering threat actors can figure out those answers.

  • Take advantage of credit and identity monitoring services to help detect malicious activity quickly.

  • Only use trusted websites; verify the domain name, check the SSL certificate and purchase from websites that use 3D Secure, a technical standard created by Visa and Mastercard.

  • Understand that Europay, Mastercard and Visa (EMV) chip technology does nothing to increase your protection for Card Not Present (CNP) transactions such as online and over-the-phone charges. That said, chip technology does offer added protection for in-store transactions so be sure to request a credit card with a chip if you don’t have one.

  • Never use that unsecured Wi-Fi connections that are common at public locations such as hotels, airports and restaurants.

Cybersecurity is a responsibility that organizations and consumers must share, so closing the education gap is important. Through National Cybersecurity Awareness Month (NCSAM) the government is actively engaged in this effort, working in collaboration with industry to help provide individuals with resources they need to stay safer and more secure online. In addition to participating in NCSAM, companies can make their own concerted efforts, for example posting educational materials online that explain the extra security layers they offer and why individuals should use them. Finally, consumers must also take ownership of their own security. You already lock your car or your house—now you should make sure your personal data is secure too
Michel Huffaker is the director of threat intelligence at ThreatQuotient and has previously worked as a Chinese cryptologic language analyst for the U.S. Air Force before moving on to become an intelligence analyst for the U.S. Department of Defense and has worked on many sides of the industry from government to vendor to end user.