It can be nerve-racking to give out this sort of information, especially when data breaches are becoming increasingly common.
What can users do to find out whether a particular online service is cybersecure and has proper data protection policies, before signing up for it?
Digital Edge speaks to Anthony Tai, executive director of Deloitte’s risk advisory division in Malaysia, to find out.
Before signing up for an online service, what should consumers look out for?
Realistically, it is virtually impossible to ensure that you are fully protected and that there is no risk arising from using an online service. However, you can reduce the risk by performing adequate due diligence on the service provider.
Ideally, you should consider the following areas before you decide to share your personal information:
One critical criterion is how open an online service provider is with potential users about how their personal data is treated. Data governance and trust principles should be clearly stated, and this includes the purpose and objectives of data processing, the type of data being processed, and how the personal data is stored and secured.
This is particularly important because how transparent an organisation is with users corresponds directly with how much respect the online service provider places on your personal data.
2 Data privacy
According to the United Nations Conference on Trade and Development, 128 out of 194 countries have legislations to secure the protection of data and privacy. Though differing in some areas, most privacy Acts share some common principles, for example:
• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Storage limitation
• Integrity and confidentiality
In this instance, you should evaluate the online service provider on which privacy laws they are complying with. It is also pertinent to consider their policies in relation to the following areas:
• Right of access to your own data
• Right to be forgotten
• Notification service-level agreements in case of a breach
• Opt-out options
Last but not least, it is also important to consider the robustness and strength of the cybersecurity and IT controls employed by the online service provider. This can be demonstrated via various certifications and attestation reports available from independent third parties.
Some certifications that are relevant include ISO27001, 27017, 27018, 27701, PCI DSS, CSA STAR, WebTrust and SysTrust.
There are also attestation reports commonly known as SOC1, SOC2 and SOC3 reports that provide the reader with a good understanding of the operating effectiveness of key controls employed by the organisation.
This information is normally published under the compliance or “about” sections on websites. Most organisations that have certifications will publish this information.
Fintech platforms often say they offer “bank-grade” security. What does that mean?
Bank-grade security essentially means that the platform has adopted a robust cybersecurity and IT controls framework based on the requirements from NIST (National Institute of Standards and Technology), COBIT (Control Objectives for Information and Related Technologies) or other similar best practice standards. This can be evidenced in the existence of certifications as mentioned above or SOC reports.
What about data security?
Data security is a key consideration in relation to data protection and privacy. Consumers should pay attention to disclosures from the platform or service provider in relation to whether they are compliant with privacy laws such as the General Data Protection Regulation and the Personal Data Protection Act.
What are some red flags consumers should be aware of?
Always check if the online service provider employs sufficient access security controls. These could include multifactor authentication, passphrase or image confirmation and controls surrounding email address and contact information changes.
Also check that the site uses secure connections (such as SSL, TLS), has updated certificates and, in general, feels right. If unsure, do not use the service.
Clicking on the lock icon on the address bar will display information about whether the website is secure, its certificates valid, the cookies in use and tracking permissions, among other things.
That being said, always be aware of social engineering attacks. These can come via various channels.
What should consumers do if they hear that a service they use has been breached?
Contact customer support. Reputable online service providers have protocols set in place to address these incidents. Hence, it is important to subscribe to services from platforms that are transparent and have demonstrated a commitment to respect customer privacy. Appropriate and adequate due diligence should be performed on the service provider (such as transparency, data privacy and compliance).