Laura Kankaala, Head of Threat Intelligence at F-Secure, looks at why everyone needs to take ownership of digital safety
Discussions around online safety have increased of late. Fuelled by well published customer data breaches such as those affecting Marks & Spencer and Co-op. And while I encourage any debate that helps to inform and make changes, it’s important that we don’t assign responsibility or blame to just one group – whether that’s the retailer or the social network. The scale of the issue is such that it’s everyone’s problem.
Our movement towards a digital-first society means that there is now a vast amount of personal data held online. This is data that businesses ask for and consumers consent to giving, so we must all align on safety because data has the potential to be exploited which can be costly for everyone – businesses and consumers.
Cyber criminals are experts at exploiting technical vulnerabilities gaining access to personal information. Once they have it, it becomes a commodity to be traded, sold, or used to manipulate and extort.
Data is not the only thing at stake. The Global Anti-Scam Alliance (GASA) found that over $1 trillion was lost globally by consumers through online scams. As our dependency on technology deepens we can expect this to worsen unless all of us take drastic measures.
The UK Government’s commitment to introducing legislation to tackle online security is a positive step. In October 2024 it introduced APP payment legislation making financial institutions liable to pay for fraud up to £80,000. As part of this legislation, financial providers also need to demonstrate the measures that they are taking to prevent customers being scammed.
However, this legislation, albeit a step in the right direction, is not going to stop cyber criminals. Laws are made for the law abiding, which make them a good tool to encourage lawfully operating companies and entities to enforce cyber security best practices and hold them liable. In a worrying move, we’ve seen governments dismantle organisations, such as the PSR in the UK, as well as the CFPB and FTC in the US, all of which are tasked with making sure enterprises protect data, money and the rights of individuals.
Legislation is required to set baselines for cyber security requirements, among other things. But laws are not going to put a full stop on cyber crime: attackers will still find creative ways to exploit technology for illegal gains.
Consumer cyber security is a problem that extends well beyond enterprises and organisations. Cyber security is also a deeply personal matter. F-Secure data, found that 77% of people worry about online safety, with 7 in 10 unsure of whom to trust. Concerns about cyber security are not unfounded, as scams are continuing to increase in numbers with more scam victims than ever. According to GASA, 45% of people experienced more scams in the last 12 months than the year before.
The final piece of the full protection comes from organisations and businesses, such as banks and payment providers. They not only need to make sure they are protecting data and users adequately, but should also invest in resources to keep their consumers safe by giving them tools and knowledge of how to stay protected against scams online.
Enterprises that deal with consumer-facing services or applications can offer built-in security solutions embedded within their own applications, making them accessible to their customers. It is also important to fully understand the threats that customers of a specific enterprise or organisation might face, because it will make it easier to communicate threats and educate users on cyber security matters.
Cyber security awareness is also a key element, but protecting societies and humans across the world can’t depend on awareness alone. Cyber criminals are creating more sophisticated and convincing scams every day with modern technologies such as generative AI.
Furthermore, the best kind of awareness shouldn’t focus only on what the most topical scam type looks like – it should also focus on how to systematically spot scams by looking at URLs, checking files with antivirus software and so on. And perhaps most crucially, awareness should focus on how and to whom victims of scams can report these incidents, and how to recover in case they lose money or data to a cyber criminal.
Finally, no one person can solve the problem of cyber crime alone. It takes continuous effort to build legislation that enforces security in IT systems that empower our societies. Enterprises need to take proactive action even beyond what legislation states to protect data and users against threats. They can also step in to empower their customers to stay safe by offering them helpful tools and awareness initiatives to thwart scams in their personal lives.
The fight against scams and crime online is a holistic effort that requires attention from all of us.
