Nicholas Cairns, a consultant in cyber threat defence currently working at National Australia Bank (NAB), said that it has become virtually impossible to remain anonymous in the modern world, thanks to the large amount of data held about us — even data which we may not consider.
“You’re not anonymous anymore,” he said.
Emphasising that he was speaking from his own experience, and not on behalf of his employer, Mr Cairns told attendees at the CEBIT conference in Sydney that, despite the volume of data, there are steps people can take to help safeguard their personal data.
“Protect the data like it’s your bank account,” he said, noting that there is a “fine line between ease of use and security”.
Separate mandatory and other forms of data
Perhaps the biggest, yet least prevalent, piece of advice from Mr Cairns came in terms of keeping the different types of data held about you as separate from one another as possible.
“There is information that cross-pollinates or pivots between” what he called the mandatory and the non-mandatory personal identity information.
Madatory data, Mr Cairns explained, includes personal identity details that are required largely for a regulatory perspective, such as identity verification details used by airlines for travel, banks for financial transactions and products, as well as utility providers.
Non-mandatory data, he said, includes other forms of data which can be used to form part of your identity, such as social media accounts, professional credentials and qualifications, as well as even online games and apps.
“If you’re going to be completely anonymous online, completely separate that data,” he said.
That can include not using the same email address for all of these various accounts and platforms, choosing different passwords and social media handles and so forth, to make it difficult for fraudsters to connect the dots that both belong to the same person.
‘Think like your enemy’
Another important factor in cyber security, the consultant said, involves being alert to the ongoing and changing threat to data security.
“Data equals risk,” he said, and that the threat is never-ending, meaning there is no room for complacency.
He urged everyone to “know your adversary” and to “think like your enemy” in order to stay one step ahead of criminals and hackers, suggesting that a proactive approach to security to identify and resolve weaknesses can play a powerful role in protecting data from unwanted access.
According to Mr Cairns, cyber criminals work in a continual loop which broadly follows this pattern: observe → orient → decide → act → cash out.
He said that knowing this process can help to thwart attempts to access and misuse data.
Beware of human actions
Deliberate actions, accidental actions as well as inaction can all contribute to personal data falling in the wrong hands, Mr Cairns noted.
As such, it is important to understand exactly who has this data. For example, businesses have suffered data breaches after rogue contractors or third parties were given undue access or abused legitimate access.
He said that data breaches as a result of human actions are generally the result of human error, inherent data vulnerabilities or malicious attempts.
Human error can be an unintentional mistake or a lack of preventative action, Mr Cairns suggested, while deliberate actions can be for individual benefit or commercial benefit by one business or entity against a competitor.
And given the interconnectivity of the modern world, Mr Cairns said that breaches can happen anywhere.
He cited several recent examples, including:
- A Brazilian telco being hacked by a commercial adversary, with the information obtained and sold on the dark web.
- The closure of Cyber Bunker in Poland, which was the result of a three-year investigation by German authorities about a German national attempting to store data that could not be subject to law enforcement by any national jurisdiction.
- A US data broker exposing the details of millions of customers and users of a prominent software company.
Where possible, know who holds your data
A big part of the problem around data security, Mr Cairns said, is knowing who holds data and what information they have access to.
Perhaps not so obvious at first glance, employers hold a wealth of personal identity data about individuals, which is useful for both the worker and the employer to be aware of.
Mr Cairns noted that names and contact details, ABNs of contractors, banking and tax details, and even the names and contact details of our parents or partners (as next of kin) are typically held and stored by employers.
In addition, other information can also be provided to employers during the course of employment — passport and airline loyalty scheme details for business travel, medical details and histories, social media accounts, drivers licences, qualifications and employment histories, as well as photos.
On top of this, employers can also use third parties which can be privy to this data.
“It’s so hard to secure that data and use it in a proper context,” he said.
“We don’t know what the data is doing.”