News Old

Crime thrives in a time of crisis; one of the few things Al Capone would have testified to. The coronavirus pandemic gripping the world is in many ways a perfect opportunity for fraudsters and online thieves to make new inroads and bigger profits. This current crisis comes on top of the prevailing, long term fraud problems which blight online business and communications.

Worst possible timing

Just prior to the international spread of the virus, online fraud was causing the authorities to worry; in 2019, the FBI detected a 31% rise in phishing fraud, resulting in a $1.7 billion loss to the US economy. This kind of vulnerability was evident when conditions were normal, and online users going about their daily lives and business. Not surprisingly, relevant agencies are deeply concerned that this rise could be the start of something much worse.

The arms race between online fraudsters and methods to stop them is always a fast-moving affair. At the moment, conditions favour the fraudsters, because their prey is vulnerable. Tens of millions of “office workers” have been cut off from that office, and are expected to carry on from home. Not only are they trying to do their day jobs, they might have children to teach at the same time.

Adaptability urgently needed

In the current environment, the online security industry needs to step up, and quickly. The double challenges of fraud protection and good customer experience are heightened at the moment, and the verification process needs to reflect this.

Perhaps counterintuitively, it may be that initial checks are loosened for new customers; many people are finding themselves using new technology, or facing a bewildering series of hurdles when trying to access services for the first time. The risk of abandonment, therefore, is very high at the moment; the onboarding process may consequently have to be made easier rather than harder.

Of course, this exposes businesses to more risk. In this case, the ability to carry out enhanced checks on some customers also needs to improve, in terms of speed and accuracy. The risk of potential loss from fraud or abandonment is always a delicate balance; the pandemic is bringing this equation into even sharper focus.

Lessons to be learned

Like the effects of the virus itself, the effects of the pandemic on fraud activity will no doubt take many months – if not years – to become fully evident. Unfortunately, online businesses and the security professionals they employ do not have the luxury of waiting to see the results of their efforts to counter fraud; the time to act is right now.

It is likely that new verification systems will be flexible, simple and intuitive for the user, while at the same time improving their performance behind the scenes. Back end processes will be developed (probably using AI) to quickly interrogate the right databases in the right way, so that checks are robust and fit for purpose.

Necessity, as the saying goes, is the mother of invention; the coronavirus crisis necessitates some quick thinking which will, hopefully, carry benefits for online verification into the future.

As well as the right to withdraw consent at any time regarding how our data is held and what is done with it, the Data Protection Act 2018 gives us quite considerable power over internet companies and other organisations which use the web as a portal.

Subject access requests

It has been possible to request exactly what data an organisation holds about you since the Data Protection Act of 1998; this is done by submitting a subject access request (SAR). In this case, you as the user are the subject, and are requesting access to your own information. The main improvements of the 2018 Act were to speed up the process and make it free of charge in most cases.

By law, a company has to respond to a legitimate SAR within a month of receiving it. If your request is deemed excessive or unfounded, the holder of your data may refuse, delay or charge for this process; if so, they have to inform you of their decision within the same time period.

Legitimate reasons for using data

Once a SAR is answered, the subject (you) will be able to see if your data is being used for legitimate reasons. Under the terms of the Act, there are six of these; most of these are common sense (such as consent, which has been given in all cases), and all are there to protect you as a user.

Importantly, the organisation receiving the SAR must disclose all aspects of the data they hold, and reply in plain language, rather than disguise it in legal terminology. From this starting point, it should be easy to determine whether the business or other organisation is holding and using your data for legitimate reasons.

Erasing or correcting your data

One of the most powerful rights enshrined in the Act is the right to demand your data be erased; this is also known as the right to be forgotten. Legitimate reasons for having your data erased are that you don’t require a service any longer, you object to your data being used for marketing, or you haven’t given consent.

Also, if a company has data which is inaccurate, you can inform them and demand that they amend it. This is often in the interests of the business, so is likely to be carried out without delay. Again, the organisation has one month to comply, or reply with their reasons for not doing so.

Fines and compensation

Complying with GDPR is within service providers interests for many reasons; not the least of which are the fines which they can incur for breaking the law. The maximum is set at 20 million euros, or 4% of global annual income, whichever is the higher.

Also, you as the subject have a number of routes by which to claim compensation; job holders employed in the use of data can be sued separately, and for a wide range of reasons. This is another way GDPR encourages compliance by the holder of data.

Check out the 2018 Data Protection Act now; it really is more than a source of inconvenient popups.

Data protection is a subject many people think has nothing to do with them; if so, they are wrong. Specifically, anyone who uses the internet should be aware of what data protection is, and why it is important. Unfortunately, the speed of online transactions, the number of clicks we all make to get where we want, means that most web users see data protection as a bit of a pain.

Data protection and other interruptions

When logging into an online service, or even just browsing something like a news site, we are bombarded with interruptions. Boxes pop up, literally to block the view of the desired site; this is so we have to do something to get rid of them. In most cases, we click whatever is highlighted, or even press the enter key, and away the interruption goes.

Many of these boxes are related to advertising, especially on certain types of website. However, since 2018, some of these interruptions are to do with data protection; they are asking how we want data about ourselves to be used. The issue is one of consent, as much of a pain this may be for the average internet user.

What is GDPR legislation?

Wording of the questions which appear in these pop up boxes differs; often today, by clicking the X in the corner, the text says we agree to certain terms and conditions. Quite often, the first conditions we agree to relate to data protection.

The Data Protection Act came into law in the UK in 2018. This codified what is generally referred to as GDPR; that is to say, General Data Protection Rules. Data protection had always been in place, but the 2018 enshrined EU-wide GDPR legislation on the UK’s statute books.

Before the Act, it was possible to find out what companies knew about us; but gaining access to this data required time, effort and money. Since 2018, companies have to give out this information free of charge in most cases, and have to do so within a month, rather than the previous 40 days.

Should I worry?

So, when we click the X, agree to emails or cookies, we are often saying that we’re ok with the online business gathering and holding our personal details. The fact is that, if we didn’t, we wouldn’t be able to access most of the sites we visit. That does not mean that personal data is harmful, or that it can be used for anything we don’t want it to be.

In fact, GDPR law is there to protect the consumer; while having to give consent might be slightly inconvenient, it’s actually a good thing. This is because consent can be withdrawn at any point, without incurring penalties, be they financial or otherwise. We should think of clicking our consent as a temporary measure, rather than one which ties us to lifetime agreements.

What are my rights?

As well as being revocable, GDPR legislation is empowering for the individual, as both customer and citizen. In the next article, we’ll see exactly what rights we have under GDPR and the 2018 Act.

For many decades now, accessing a private online environment has meant entering a recognised user name, corroborated by a valid password. The combination of these two items of knowledge keeps at least the opportunist snoop or fraudster out of a website or user account. Unfortunately, repeated breaches of this security continue to expose the weakness of the username + password verification method.

Doubly unfortunately, this exposure has come at the expense of the private information of millions of people, whose personal details have been available for the world to see. In one case, the head of a healthcare provider allowed their username and password to be witnessed while logging on to its “secure” system.

Vulnerable environment

Gaining access to online services requires security; this seemingly obvious fact emanates from the nature of remote system use. Basically, any user logging onto an online portal is using a computer they cannot physically see or touch.

In business terms, this is the “customer-not-present” environment; identity validation cannot be carried out by one human being looking at and talking to another. While this is very convenient in many ways (and, indeed, drives the entire web-based universe), in others, not being present is the internet’s biggest weakness.

Hackers of various hat colours use automated methods to generate both usernames and passwords; however, as the healthcare chief’s case shows, this isn’t always necessary. Human mistakes or oversights mean that the tried and trusted combination of username + password is only as secure as the person using it.

Adding layers of verification

Knowledge based access methods (which username/password is) have been gradually losing their importance over recent years. Partly this is because usernames and passwords are hard to remember; people tend to write them down, or use words easily associated with themselves.

Two extra layers of verification have come to enhance / replace this knowledge based approach; devices and personal attributes. Rather than just a keyboard, smartphones, tablets and wearables now have many other ways to interact with their user; this allows them to take selfies, or maybe even scan eyeballs and thumbprints.

In combination with private knowledge (what you know), what you have and what you are can now be used to verify your identity. A combination of all three is certainly much more secure than the username-password method.

Security and seamless user experience

Taking the time to remember and correctly enter usernames and passwords is a clunky, tedious experience for many modern online customers. The rise of technological and biometric layers to remote verification has added advantages for these users; by extracting valuable biometric details, for example, serious security checks can be started as quickly as possible.

For low-risk customers, access can be very quick indeed. However, an advantage of the newest checking methods means that even higher-risk users can be verified without them feeling like they’ve been pulled out of the queue and taken to one side.

This seamless customer experience is as vital as the need for ever-more effective security measures; the demise of username + password may well, then, be a good thing all round.

Any parent knows that more children are accessing the internet, more regularly and in more ways, and younger than ever before; this is a trend which is only likely to continue. As education and youth health providers turn to the web to offer services seen by society as positive, those which pedal less wholesome fayre are waiting to reap the rewards.

Illegal vs. Harmful

As well as being a living nightmare for most parents, the likelihood of children accidentally or deliberately accessing websites, goods and services which could harm them is something governments are starting to take seriously. What parents and governments want is some form of age verification which blocks underage users from accessing illegal or harmful sites.

Illegal is, in some ways, easier to police. The fact is that it is illegal to sell or offer a range of goods and services to anyone under a certain age; in this case, websites which do face a hefty fine, or possible closure.

Harmful, meanwhile, is less straightforward. Businesses which sell fireworks, for example, know that their products can harm children; however, those which offer certain services can at least claim a lack of evidence. Any harm done to minors from viewing unsuitable images is much harder to prove than a burn from a firework.

Interested parties

How seriously online businesses take age verification, sadly, often depends on their own self-interest. It is simply not in the interests of, say, a dating site to make every visitor verify their age; this interrupts the flow of registration, and will result in a drastically reduced conversion rate. At the end of the day, this is seen as being bad for business.

One way around this is a badge system, whereby a user looking for a date will – at least in theory – prefer someone with an age-verification badge than someone without. This level of light-touch internet policing is something that regulatory authorities like the UK’s Ofcom are looking at. The dangers of pushback by internet providers must be weighed against the likelihood of minors suffering harm at the hands of adults because of half-hearted age verification processes.

Non-anonymous age verification

Even in age restricted areas of the market, not all businesses take age verification seriously. A recent survey showed that only about half of these employed robust methods; the other half relied on anonymous verification, including self-assessment and verification by scanned documents.

A serious age verification system is one which requires the user to give up some of their anonymity. This should really involve a photograph, which in today’s world could just mean a selfie. The image of someone’s face popping up as part of an application or registration is still one of the safest means of age verification.

Although some will say that this goes against the spirit of the internet, parents and authorities such as Ofcom have more pressing concerns to worry about. In an increasingly web-reliant world, protecting minors from harm still falls to responsible adults; robust age verification is one tool to help in this ongoing struggle.

UK, 13th February 2020: Analysis of StepChange Debt Charity’s clientele has disclosed new insights regarding the financial behaviour of people making steps towards debt recovery.

A study conducted by Experian revealed that 88% are very engaged with the online world, however a significant 40%, are unlikely to be managing their finances digitally. StepChange Debt Charity has recognised the potential of the latest online tools that may facilitate individuals build financial resilience and get over their previous debt problems.

The majority of the people surveyed were found to be online enthusiasts. Mainly from lower income households, they’re active social media users and are probably high users of digital entertainment services, like gaming and video streaming websites, however a lot less likely to interact with FinTech tools – along with online banking services.

Age was identified to be the largest influencer of digital engagement. 14% of StepChange Debt Charity clientele were those with young families. Of all the groups, these were the ones who were found to be the most likely to employ the use of online banking, as well as digital cash management tools.

In comparison, around 12% of clientele were found to be older individuals and retirees. This group is the least likely to use online financial management tools and don’t have very much interest in accessing these services digitally.

Digital money-management tools are able to facilitate individuals in difficulty, to avoid wasting money and gain a framework for money management, which may facilitate them to avoid or perhaps reduce the impact a financial crisis could have.

Experian and StepChange Debt Charity will continue to work alongside each other to offer even more insights, building more understanding of ever ongoing challenges, and look upon potential solutions of how clientele can gain higher autonomy of their finances. The charity is close to launching a brand-new online hub to assist individuals with persistent credit card debt.

Although it is not claimed that online tools can solve the nation’s debt problems, they are able to assist, and there is also a potential for an array of new services which can better engage people who are financially insecure.

Seeing as most people who find themselves in debt, are in this situation because of a change in their circumstances, helping those to manage their money and also build financial resilience, means they are much more likely to be in a position where they are able to weather tougher times if and when they occur.

It would also be easy to assume that we are all using digital technology in the same way and at the same consumption rate. However, we’ve discovered that this simply isn’t the case.

FinTech tools are changing the way that many of us are managing our money. However, it is apparent from our findings that a considerable amount of individuals looking for assistance with debt issues, are reluctant to use online financial tools, this will pose interesting challenges for the debt advice society and sector at large.

To quote the well-known rhyme, “water, water all everywhere, nor any drop to drink.” I feel can also be true of data. Where organisations have a lot more data than ever before, only a few are able to take advantage of this resource and truly leverage it for insight.

There are no doubts regarding the value of data. It’s viewed as a key competitive advantage, and in some instances, a strategic asset financially.

However, translating your data into a meaningful insight may be a very different task to storing and managing it, from a regulatory perspective. we have seen a large number of businesses invest in many kinds of data initiatives, like analytics, machine learning automation, customer insight, data governance, etc. Yet, most businesses still report that they’re not sufficiently data driven.

Every year we conduct a world study of data management practices and of data usage. This year, we surveyed over a thousand practitioners regarding how they would like to leverage data. The research looked into a number of the obstacles that faced them and why only a few manage to leverage data for insight. we noticed that 3 key areas emerged.

Firstly, there’s a sizeable degree of distrust when it comes to information. The standard professional observing data doesn’t know how the data got there, what state it’s in, or even when it’s useful. Whereas the knowledge that data gives you may result in better insight and more informed decision making, a large level of distrust usually causes leaders to fall back on making their choices by gut instinct, instead of by knowledge that has been provided via the use of data. Subsequently, we’ve consistently witnessed over the past years that many believe that nearly one third of their data is not accurate.

Secondly, we are seeing the rising levels of data debt. Data debt is much like technical debt. You’ve got data assets that may not be fit for purpose, or have data that consists of a high level of inaccuracy. Unless you’re taking the time to repair that data, and govern it properly, you’ll forever have a suboptimal data operation. In turn, poor quality means that several businesses aren’t totally seeing the ROI or expected advantages in a number of the investments they’re making.

Finally, there’s a skills shortage when it comes to data. This doesn’t simply mean professionals, like data analysts, data scientists, and chief data officers (CDOs). There’s a general lack of understanding across the board around data, within the broader business. We’ve seen a growing number of businesses talking about facilitating a wider usage of data across their business and looking to do a lot more with data insight, however only a few people across organisations are actually data literate. Our survey results indicated that most businesses have reported that literacy of data has to become a core ability of staff over the next 5 years.

To generate the amount of insight required to leverage data fully, as a valuable asset, organisations will be required to tackle problems around its accuracy, trust, and of course, data skills. Unless these elements are addressed, organisations will remain surrounded by all of this useful data that will not provide the business with what it actually needs.

As a small business owner, it is always important to consider data security.
When looking at data you may store virtually, from customer’s private information, to financial records, it’s not difficult to see that a breach would quite possibly result in serious damage to your business.

One of the board members at the National Cyber Security Alliance, along with the Vulnerability Research Team’s Senior Director for cybersecurity provider Sourcefire, were consulted to find out what security measures were key for small businesses.

1. Establish strong passwords

The simplest thing to do in order to strengthen your security, is implementing strong passwords.

A simple tip for creating hard-to-crack passwords, is to use combinations of capital and lower-case letters, numbers & symbols, and to make them 8 to 12 characters long.

It is advised to avoid using your birthdate, or anything personal to you.
Use a checker to see if you have crafted a strong password, change your password at least every 90 days, and never write it down!

Another key aspect is to make sure each user has their own login credentials, never use one username and password for all.

2. Put up a strong firewall

Firewalls are an essential aspect of protecting your network, they protect your network by policing the traffic that comes in and goes out. Firewalls are a standard practice when it comes to network security.

3. Install antivirus protection

Another standard practice is anti-virus & anti-malware software, these are the last line of defence, should you be breached. It is always wise to choose an anti-virus & anti-malware software that you trust, and that’s right for you.

4. Update your programs regularly

Ensuring that your programs are regularly updated is vital in the ongoing endeavour of being fully protected. There’s not much value in installing all this fancy software, if you’re not planning to maintain it.

It’s essential to update regularly as the goalposts are constantly moving, and while no security application is 100% fool-proof, it keeps your system up-to-date with the latest protection available!

5. Secure your laptops

Laptops are at a much higher risk of being lost or stolen, this is an obvious fact due to their portable nature. Because of this, taking extra steps in order to protect your sensitive data is important.

One of the simplest things to do is: encrypt your laptop! What encryption software does is, alter the way information looks on your hard drive, so unless you have the correct password, it can’t be read.

Another simple but very effective way of protecting your laptop, is to not leave your laptop anywhere where it may be an easy target for opportunists. Preventing your laptop falling in to the wrong hands may save you, your business and your clients, a lot of unwanted aggravation.

6. Educate your employees

Prevention is definitely the best approach when it comes to the security of your data. Make sure your employees understand the importance of safety, when it comes to navigating the internet. They should understand the potential security risks they may put upon the company, if they decide to make bad decisions online.

For a great number of employers, screening the backgrounds of their potential employees is a must. Screening can be complex and challenging, especially when HR, as well as hiring managers are unsure how to stay absolutely compliant.

Currently, 60% of organisations in the UK conduct background screenings, according to the statistics provided by Sterling Talent Solutions.
This percentage is said to increase year on year as employers are becoming more aware of its importance.

Compliance appears to be the top reason employers are carrying out these checks, however, keeping up-to-date with the ever-changing regulations can be challenging. So, the question is, how can employers stay legal when it comes to the screening process?

Criminal Record Checks

Criminal record checks that are carried out by employers must be proportionate and also relevant to the employee’s position in question, it is also to be in compliance with The Police Act (1997) and the Rehabilitation of Offenders Act (ROA) (1974).

According to employment law associates, employers are allowed to ask applicants about their criminal record, however, the ROA (1974) restricts to what extent an employer is able to base their decisions using such information.

In the case of “Spent convictions” – where a crime has been committed previously, but no re-offence during a given period, employers should not request information. These applicants are treated as having clean records, unless there is an exception that applies under the ROA (1974).

Credit Checks

Credit checks are an element of screening that is used, particularly in the financial sector. Like criminal record checks, they are to be proportionate to the job at hand. For a role like a financial director, a credit check will be necessary, however a job that doesn’t require any financial responsibilities wouldn’t likely need a credit check.

It is recommended by The Information Commissioner’s Office (ICO) that credit checks are to be conducted only when a less intrusive option is not available.

Social Media Screening

With checking platforms like Facebook & Instagram, you are able to capture applicant’s activities that may be potentially incriminating. There are however legal risks and consequences if you get it wrong.

The primary issue is, if the job applicant claims that a decision to not employ them was based on information found by the employer, from one of their social media accounts.

Education & Credential Verifications

Checking an applicant’s qualifications and credentials can give you a clear understanding of their knowledge, specialties and skill sets.

Some candidates may however be tempted to fabricate the results of an educational & credential verifications check, via the use of technology, which can obviously affect the reliability of these kinds of checks.

Reference checks

One of the best ways to ensure that you are hiring the right person, is a reference check. It is advised however that certain rules are adhered to, such as making sure discriminatory questions are avoided.

Recruiters should be vigilant, as acting on a reference that is potentially discriminatory may cause issues, as they may be liable for damages/loss of earnings, if the offer is withdrawn due to a reference of this nature.