Using those 'oh s**t' moments, to help make small changes, that reduce our online security risk.
At some point in your life, like me, you may be unlucky enough to experience theft - let's call this that 'oh s**t' moment.
I had one of those moments very recently. One of our neighbours in our apartment block called to let us know that an intruder had been in the shared garage earlier that day. We checked our storage cage when we got home, and found that our suitcase was missing - this suitcase also matched the description of a witness, who saw the intruder walking out of the building with a suitcase around the same time they were captured on my neighbour's CCTV.
I felt a few feelings at that time:
· Relieved - it was just a suitcase and nobody was hurt.
· Annoyed - by the blatantness of the attacker, the inconvenience and potential cost
· I also felt a bit stupid - we had saved and invested in one of those decent hard shell 4 wheel suitcases - why did I stupidly store it on display in our storage cage?
· I also felt bit anxious about this new threat- without divulging how the intruder got in, I was concerned that someone could gain unauthorised access to our storage cage. It made me worry about the overall security of our apartment building and whether they would come back. I felt less safe.
This got me thinking - do 'security breaches' and the way they make us feel provide a good opportunity to help us adapt our behaviours to reduce our future risk?
We know from research that long term behavioural change is hard in all aspects of our life. It's also true that changing our behaviour based just on fear, doesn't normally lead to effective long term behaviour change. We tend to respond in an emotional way and think about impractical solutions we can't sustain or burying our head in the sand and doing nothing.
Well, I can tell you that my first ideas were impractical and emotional - my fear led me to seriously considering about moving house! If not, then I would stop using the storage cage for storing anything, and never go down to the garage alone.
So, what might be a realistic and achievable behavioural change for me to make after this recent event to reduce my risk based on my knowledge of the new threat?
To help me take a more objective (and non-emotional) view on the small changes we could make to reduce our risk in the future, I assessed the event using some of the skills I introduced in my first blog:
1. Prior to the breach, did I identify what was valuable to me, where those valuables were kept, how well they were protected and the potential impact if something happened to them?
I knew the suitcase had value ($600 of value to be precise!), I knew it was in the storage cage and based on the threats I knew about, I believed it was well enough protected (with a padlock and our building security) and I assumed that there would be little impact to me financially as my insurance would take care of it.
I also, like most humans, was mostly optimistic about my chances of falling victim to crime through my Optimism Bias - a concept human security behavioural expert Dr. Jessica Barker recently highlighted to me.
2. Was I aware of and up to date on threats around us and whether we might be vulnerable to them
We were not previously aware of the threat of someone targeting apartment storage cages, so didn't know we were vulnerable to it.
We hadn't received any proactive alerts from the police before the event, to let us know about this threat when they first became aware of it.
3. Did I Know what to do?
Yes, instinctively - we checked what had been stolen, didn't touch the crime scene, called the police to report it and talked to neighbours.
At this stage we had no idea how the intruder had got in.
4. Did I know how I would recover from this incident?
Prior to the theft I assumed I would get a police crime number, claim it on insurance, get the settlement and go and buy a new suitcase.
What actually happened was the following:
The police came and;
· Took some photos of the crime scene
· Provided reassurance that this was a targeted attack from criminals operating in our area, specifically going after storage cages in apartments, making us feel like we were not alone in experiencing this crime. They also helped us to understand how the intruder likely got in.
· Provided a crime number (should we wish to claim on our insurance)
· Provided advise on additional security controls we could install
· Left us with some information sheets for residents to help us reduce our risk in the future.
I also checked my insurance policy and realised that the rather large excess on our insurance, turned out to be the same price as the suitcase - this was a reminder to pay more attention to insurance excesses as they seem much bigger when you actually need to fork out for them!
5. So what adaptations were we willing to make to reduce risk in the future?
As mentioned above, my initial response (which was based on fear) was to move house or if not, to never store anything in the storage cage again and never go down into the garage alone.
However, on reflection and thinking things through after going through the review above, we realised the following small changes could be made that were realistic and would help reduce our risk:
· Updating our 'family policy' on what we stored in the storage cage - high value items in the apartment only but we could still store low value items in there
· We spoke to our neighbours and using input from the police we agreed and installed additional security measures
· We also reviewed our insurance policy but decided to keep the current one as the monthly payments suited our budget (and we would just have to deal with the excess at the time If and when we needed to claim on the policy)
If you've been unlucky enough to experience a theft, or thought about what you would do if you did, you might have been nodding your head throughout this first section as this may all seem quite familiar to you.
So, how might this play out in the case of an online theft incident?
Would we be able to just as easily find and implement small behavioural changes to help reduce our risk?
This time we will use a very real example of Jim (name and some details have been changed to preserve Jim's anonymity).
Jim, like me is a 38 year old human living in Australia. He's a Dentist and has a seperate personal laptop and uses a ’cloud’ email service (such as Gmail, Outlook or Yahoo) for personal use.
Unknown to Jim, online criminals have been able to log into Jim's email from a different computer/location undetected by Jim.
The criminals 'got in' to (compromised) his email by using his email log in credentials (username and password) that were compromised in past data breaches - a type of online attack which is referred to as Credential Stuffing.
They have gone through Jim's emails and found passport and drivers licence information in previous emails he had sent regarding a rental application in the past.
The criminals have then sold this information on to other criminals on the DarkNet - the online marketplace for criminals (as covered in a previous blog), who have used this and other information they found out about Jim in public forums include full name, address and DOB, to apply for a new mobile phone and phone contract in Jim's name.
Jim just had his 'Oh s**t' moment this morning when he received a bill through the post for a new mobile contract he didn't take out.
Using the framework I used above, let's review this 'security breach' for Jim;
1. Prior to the 'breach' did Jim identify what was valuable to him in the online world, where those valuables are kept, how well they are protected and the potential impact if something happened to these valuable items?
Jim knew that he was using his email to send sensitive information including his passport details but assumed it was secure.
Just like in my suitcase example, Jim believed he had protected his online email account to the best of his abilities, based on the threats he was aware of. I'd used a padlock for my storage cage thinking that was good enough - Jim has a password for his online accounts that he believed was good enough (the password is one he can remember and he uses it for most of his online accounts).
In fact some research carried out in EMEA found that 67 percent of respondents feel they are doing all they can to prevent the loss of their personal data.
Jim hadn't given too much thought to the potential impact of someone getting into his email. He hadn't checked https://haveibeenpwned.com/to see if his email had ever been involved in a data breach and he didn't know that his password was also easy to guess. However, he does recall getting an email from a service provider about a year ago to say his log in details for an online website had been involved in a data breach, however he only changed his password for that site.
Jim hadn't enabled the additional layer of security on top of his password – the alarm code service (2Factor Authentication covered in my previous blog) He had been meaning to, but had never got around to it as he didn’t believe anyone would want to hack him.
2. Was he aware of and up to date on threats and whether or not he might be vulnerable to them?
Jim had seen a bit on the news about cybercriminals, but he thought they just targeted the government as they always seemed to talk about nations 'hacking' other nations
He hadn't signed up to any alert services (he didn’t know they existed) and like my suitcase example, Jim only found out about this threat (and his vulnerability to it) once it was too late.
3. Did Jim know what to do once he realised a security breach had occurred?
Jim wasn't sure who to call after he received the letter from the mobile phone company.
Jim didn't at this stage, know how the compromised of his personal information and identity had happened.
He didn't know if the police would be able to help.
He called the mobile phone company first, who then referred him on to IDCare (a specialist support service in Australia and New Zealand).
4. Did Jim have a plan on how he would recover?
Unfortunately, unlike situations where we experience theft in the physical world and know what to do, Jim didn't have a plan on how he was going to recover - he had never experienced an online security breach like this.
Here is what actually happened:
After calling IDCare, their trained counsellors were able to offer him a free personalised support plan. This included; help on who he needed to contact, what reports were needed, as well as advice on how to put a block on his credit file and on changing passwords and how to create strong ones etc. They were also able to offer him some help working through how this type of compromise can happen, as well emotional support during this difficult time and reassure him that he wasn't he first person to be impacted by this type of crime.
As for recovering the money from the cost of the new phone and the subsequent phone bills the online criminals had racked up in his name, Jim is still waiting for the money to be refunded by the mobile phone compan
Jim also experienced some negative feelings during the process which included feeling stupid 'for letting this happen' and anxiety about future financial issues resulting from credit issues. The IDCare team were able to re-assure him about the likely future risks and how he could reduce risk but it did take him a while to get over what had happened.
5. Was Jim ready to adapt to reduce his risk?
Just like our suitcase incident, Jim experienced some initial feelings of fear, which initially led him to believe he might need to delete his email account altogether.
However, after processing things and talking things through with IDCare, Jim was ready to make some small changes to reduce his risk in the future. These included:
Changing his passwords (keys) based on the guidelines from my previous blog and avoiding using the same password across multiple accounts. He will also pay closer attention in the future, to any emails from companies that let him know they have been breached (and his details were involved), using this as a trigger to change his password and ensure that it is not being reused elsewhere.
Jim will look into turning on the additional online alarm code system for his accounts (AKA 2 factor authentication also covered in my previous blog) which he now knows would have allowed him to stop the online criminal from logging into his email account from a different location/computer.
Jim has noted down IDCare's number and knows exactly who to call if this ever happens again.
He also talked it through with family and friends to help him process the incident, but also to help ensure they also had the opportunity to learn from what happened to him.
I hope this blog helps to highlight to you that we are all human and sometimes we can underestimate risk, physical or online, especially when we combine our natural optimism as humans, with the fact we aren't across the latest threats and whether we are vulnerable.
In addition, our experience of an online security incident, including what to do and how we will recover, might be less familiar to us (that that of a physical incident), given how long the internet has been around and that some of the supporting systems in 'the ecosystem' are less mature (including police, insurance and others).
However, you have the 'framework' and the skills to get through these incidents, whether online or physical, and those behavioural changes you make following a security breach, however small, all go towards helping improve your overall 'resilience' and will help reduce your risk in some way!