How to Protect Data in an Age of Digital SeamlessnessPartner, Digital and Financial Services at Oliver Wyman Partner at Oliver Wyman Financial Services
Think of how you currently book a vacation: the many steps you have to go through, the different companies you have to interact with and the time it takes. Now, imagine booking your annual vacation simply by clicking a “same as last year” button.
Your flights are booked, ground transportation scheduled, accommodation arranged with your particular requirements, insurance purchased, and gym membership paused for the two weeks you’ll be away.
This is called “digital seamlessness” — the integration of technologies to reduce user effort and hassle. It is the opposite of user friction. The above scenario is not far-fetched.
The trend toward digital seamlessness is accelerating; industries from finance to health care are increasingly using seamless technologies to make it easier for consumers to use their products and services. More than four billion people now own a smartphone, with many using them to buy groceries, manage finances, book travel, arrange deliveries or receive health care.
But the systems that enable these popular services also face a significant risk — large-scale cyberattacks that could expose valuable nonpublic information or, even worse, disrupt entire industries.
Greater Convenience Brings Greater Risk
The trend toward digital seamlessness is increasing cyber risk in several key ways. First, attractiveness of the target. The highly valuable data, such as personal and financial information, stored and produced by seamless technology, makes an attractive target for hackers and cybercriminals, who are motivated by financial gain.
Second, volume of data. As users disclose more personal information, for example, their geolocation, in exchange for a more seamless experience, companies collect and store this data in bulk. These massive stockpiles of information are especially appealing to cybercriminals, because a single hack could get them access to far more valuable data.
Third, concentration of risk. Take our travel example. If someone’s phone was compromised, the loss could be significant. From one device, criminals could gather the consumer’s personal and financial information and use that to charge up credit cards and drain bank accounts. Or even worse, access the biometric data used to secure the booking or your medical history via your travel insurance company. Credit cards can be replaced, but fingerprints cannot.
Fourth, increased attack surface. An attack surface is a connection point between different parts of apps or systems that need to communicate with each other. The same technology that enables consumers to seamlessly use their smartphones to deliver dinner or to reserve tickets creates additional attack surfaces — or connection points — that hackers can target. The more connection points, the more vulnerable a system.
Businesses should operate on the “not if, but when” assumption that defenses will be breached at some point.
To illustrate these dangers, consider the 2018 case of a major hotel data breach, which exposed more than 500 million customer records. In a pre-seamlessness universe, this may have been limited to a customer’s stay and check-in information. Instead, details on the company’s customer loyalty program, which makes it easier for consumers to book and use the hotel chain, were also breached, and cybercriminals accessed passport numbers and other information. These records could enable large-scale identity fraud with significant impact on consumers.
Practice Good Digital Hygiene
The good news is that there are a number of measures that businesses can take to mitigate the additional risks introduced with digital seamlessness, without compromising user experience.
Support (and benefit from) the growing awareness of cyber risk in consumers and employees. Companies are spending more time and money to educate staff and even their customers to avoid some of the most common and costly mistakes. Many cyberattacks could be prevented if people followed basic cyber hygiene, such as not trusting unknown sources with personal information and being circumspect regarding websites that appear real, but are not.
Most retail banks no longer ask customers to share personal information or to transfer money by email and phone, and many also use multifactor authentication via a phone or physical card reader. Customers also should not use the same login password for multiple online services.
These simple techniques would help prevent the majority of breaches. For example, a cloud storage company suffered a breach in 2012 that exposed 68 million records after an employee used the same credentials on work and personal accounts.
Operate on the ‘Not If but When’ Principle
Strive for “security by design” — focusing on building in system security from the outset. In an interconnected, seamless world, system elements have multiple complex interdependencies. These should be mapped out fully during the design process to eliminate security blind spots and mitigate exposure to penetration and disruption.
As a guiding philosophy, businesses should operate on the “not if, but when” assumption that defenses will be breached at some point. This puts the focus on timely detection and response, rather than purely on prevention. There is more work to do on this front, but progress is being made: In 2018, the global average dwell time (spent by attackers inside networks before detection) decreased by around 25% to 78 days, thanks in part to smarter and more rigorous monitoring of network activity.
Know Your Partners
Perform thorough due diligence when integrating with third-party services to create a seamless experience. Companies may rely on an extended supply chain to offer a convenient service, but they should carefully evaluate both their upstream and downstream dependencies, along with any cyber risk this may introduce. Many organizations have recently improved their third-party risk management capability, limiting access to critical internal infrastructure, and establishing robust monitoring and visibility, such as through consolidated management dashboards.
View Data As a Liability
View data as a liability, weighing the benefits of collecting incremental consumer data that may enable them to marginally improve or tailor a product against the cost of a potential breach. At the end of the day, while consumers seek ease, they also value privacy. No one wants to have their identity stolen when they book a vacation.
The benefits of digital seamless are significant and exciting, but to quote a certain superhero, “with great power comes great responsibility.” As digital seamlessness becomes more and more a part of our day-to-day lives, it is essential to have consistently strong cyber resilience across this fast-changing ecosystem.