What to do and what not to do – Cybersecurity standards and personal data online
21 May, 2022, 2:45 pm
A very common question I get asked by C-level executives, and most IT-savvy individuals such as young professionals, is obviously “what are the cybersecurity standards or laws that I or our staff/organisation should adhere to?”
Here’s the thing, just as on the Internet, Facebook/Messenger/WhatsApp or Instagram legal policy updates creep up on you, standards too had to be introduced by our democratically elected law makers.
After all if there is no law against an act a person is free to do whatever he/she pleases, as I do when quietly engaged in lucrative offshore Bitcoin mining investments (email me if you’re interested).
In Fiji, we have the Cybercrime Act 2021 and Online Safety Act 2018 which covers most things you can (or cannot) do on the Internet. Most of it is fairly standard and expected of modest persons of society but these cyber laws have also allowed Fiji (and Vanuatu) to be invited to accede to the international Budapest Convention on Cybercrime last December 2021.
In the Pacific region Tonga and Australia (New Zealand as observer status) are also full members of this international cybercrime agreement which allows transnational cybercrimes to be investigated across borders (or jurisdictions).
I mean the Internet has no borders anyway so these types of international cyber agreements are very much required to keep those pesky hackers (including organised crime and some nation states) at bay! The war (or conflict) in the Ukraine with Russia is very much a test of these international cyber agreements as well as other diplomatic avenues.
It all boils down to definitions and here my fellow professionals in the law profession and strategic policy are very much engaged.
Geopolitics is also skewed as the economic impact is felt in Europe and then the rest of the world. Still recovering from the pandemic, most countries are being stretched on their resilience to such events affecting all market segments.
A side effect of globalisation not envisaged by WTO in their economic policies of the 1980s and 90s. For organisations an ISO/IEC 27001 ISM (Information Security Management) certification is considered the cybersecurity standard to aspire to.
Is it required? That is a question to be answered by policy makers or boards but I would recommend its consideration and implementation at some level.
Most of the cybersecurity standard has to do with modifying procedures and most organisations have now undergone digital transformation – somewhat speed tracked during the pandemic with working from home.
This is simply integrated with previous manual business procedures.
The difference is in the audit and evaluation and monitoring process include critical information assets, which are not all technical in nature.
As many of us now know, and quite recently pointed out by Dan Palmer, a senior analyst with ZDNet.com.
The Internet does not forget! Many of us know this, or at least it’s something that’s in the backs of our minds as we post updates to Facebook, share photos on Instagram, detail little insights into our daily lives on Twitter, and enter our personal data into a variety of other social media platforms and online services.
But now I can see that it’s really true, for me at least. For years, I’ve been writing about cybersecurity, so I’m aware of the risks around personal information being shared online and how valuable our sensitive data can be to cybercriminals. It’s why I’m careful with what I sign-up to, what I post, and who can see it.
I make sure that my passwords are complex enough so they can’t be guessed, plus whenever possible, I use multi-factor authentication to
protect my accounts.
These are all habits I’ve developed during
the past 20 years or so.
But prior to that, I was much more naive
about putting personal data online, particularly
when I helped establish the first
commercial Internet in Fiji in the mid- 1990s and everything was still new, fresh and open!
I got my first taste of social media with MySpace, and I joined various online forums, posting comments and talking with people with similar interests.
Back then, security and privacy didn’t really cross my mind until I was involved in investigative efforts of one of the first Fiji and South Pacific online pedophile cases back in 1997.
Interpol was involved and I probably should have been mentally prepped by more senior police officers and investigative agents but as I always tell people – they are things you can’t unsee and can definitely change our perception of the world.
I realised then the power of the Internet could also be used for the things that now go underground into the Darknet, and for a few years I acquired an almost non-existent digital footprint.
Which is why it was startling when someone showed me how easy it was to find my username for a particular forum – and linked to a thread from the bulletin board containing almost two-decade old photos of me from a forum.
It was strange to see them and think about how they’d been sitting online for over 20 years – and for a savvy cyber sleuth, that account could provide a pathway to finding out all sorts of other information about me and my online habits — and as I discovered, it does.
Fortunately for me, it wasn’t anyone with ill-intent who’d been digging around my online history, but it gave me an insight into how this long-forgotten online profile – and other aspects of my digital footprint –was out there on the Internet and how they could be abused.
Because while finding old data about me had nostalgia value, in the wrong hands and against a different person, such information could be the key to unlocking a whole lot more.
We’re in the age of data and that data can easily be held by people with nefarious means.
If you’re using the Internet, it’s highly likely that you have at least one personal email address. It’s what we use to sign up for various services – and there can potentially be hundreds of those, even if we only use them once before forgetting about them.
And that information doesn’t go away. I have two personal email addresses that have been active for over 20 years, which has been used to sign up for many different websites and online services.
Unfortunately, a number of those services have ended up being breached by cyber criminals and information about the accounts pasted online.
According to HaveIBeenPwned, my two email addresses has been in at least 11 different breaches over the years, possibly exposing linked information including my name, online usernames, passwords and more. Scary.
Cyber criminals often take advantage of the way people re-use the same password. For example, someone using one password on their personal email account and the same one for their corporate account could potentially provide cyber criminals with a route into a corporate network.
Alternatively, if your username and password for your email is the same as your username and password for your bank, hackers will quickly discover and exploit this loophole.
Our email address and mobile number is often the key to our online lives. We use it to log in into social networks, banking, shopping and many other online services.
Most of us stick to the email address that we’ve used for many years, because we’re used to it, and it’s tied to so many things we use every day.
But for most of our information, once it’s out there on the Internet, it’s out there for good and there’s not much we can do about it.
That means the best practice is to understand what information might be out there and to be alert about when your personal data might potentially be abused.
For example, if you know credit card details have been stolen in a data breach, it’s a good idea to contact your bank, cancel that card and get a new one to avoid fraudulent activity on your account.
There’s no way to remove the photos or the connected forum posts, along with a traceable trail of information about my online history spanning 25 odd years.
It’s a little disturbing but serves as a reminder that personal information that ends up on the Internet can end up there forever, even if it’s something you’d rather forget.
As scientist and sci-fi writer David Brin observed: “When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else.”
From the Godfather, “It is what it is” — God bless and stay safe in both digital and physical worlds this weekend.
- ILAITIA B TUISAWAU is a private cybersecurity consultant. The views expressed in this article are his and not necessarily shared by this newspaper. Mr Tuisawau can be contacted on firstname.lastname@example.org