Who's watching? Where's my data/ information going? Information Security & Cybersecurity - A 30 second lesson/ reminder of vulnerability

From the relative safety & security of my home, within a matter of seconds, my data and information, without awareness, consent or sense of scale, beamed around the world and was instantly collected, traded, relayed and complied by multiple invisible actors, systems and states.

No, this is not the opening passage of a pending science-fiction or horror novel. It's just a random 30 second snapshot on any given day in Australia. Which could be yours or anyone else's (or company) experience anywhere in the world, at any given moment.

Imagine this scenario across a business or country.

It's not hard to visualise this data/privacy fireworks display as your information and personal details explode around the world in seconds.

Security professionals are constantly trying to make users, consumers, employees and executives understand their exposure, dangers, risk and vulnerabilities.

However, a growing list of buzzwords, expressions and abbreviations still isn't improving daily digital and information security practices and habits.

Surface area, DDOS, spear phishing, MITRE attacks, threat vectors, SSL, ZTA, MFA, SSO, NFC, NFT, CPTED, TLS, Faraday bag, man-in-the-middle, pentests, containerised, red teaming, data deltas, kill chains, zero day threats, asynchronous, raspberry pi, pineapples, UX, SCIF, air gapped, catfishing, doxing and the like will make most employees and manager's eyes glaze over and default to the path of least resistance or easiest, laziest means to connect to the internet, services and software.

Most individuals at all ages willing give away complex personal data and information to complete (international) strangers, vendors and systems such as identifiable biometrics like fingerprints, facial features, voice patterns and psychographic identifiers.

Paradoxically, they won't permit governments, law enforcement, intimate partners, family members or close friends get on their personal devices and randomly roam around their information, pictures, preferences, financials, communications or private content.

Many employees and mobile business people spend time and money to protect information and access only to then turn around and connect to public wi-fi networks, hotel systems or share a picture online that has precise location and activity data embedded into the image. As many did in the first wave of 'work from home', which is yet another Achilles heel for businesses, individuals and communities....still.

This perverse sense of control and protection distorts most digital and information security discussions and initiatives.

Graphic images and marketing campaigns depicting an individual rolling around in a pile of used syringes or licking hand rails on public transport have been used for personal and community health and hygiene awareness and prevention campaigns.

Name-and-shame campaigns have been used during recent public health emergencies such as the pandemic.

However, people, communities, organisations and even government's are doing precisely the same thing every minute around the world when it comes to personal, collective and aggregated data, information and privacy.

Sovereign data issues can only be achieved if personal and community data challenges are solved or mitigated first.

Simple, fast and graphic communications and campaigns are needed for better or improved information, cyber and security risk management.

Try it yourself: Little Snitch - Network Monitor The results can be confronting... and shocking.

The growing deficit of cyber-specific security professionals will never be filled nor vulnerabilities corrected (risks mitigated) when the threat base of users and exploitable options grows at an exponential rate, coupled with generations of devices and practices that were never secure-by-design in the first instance.

More is needed to educate children, parents, consumers, citizens and employees as the realities of what happens each and ever time they turn a device on or have a 'connected' device of any kind in their homes, business, communities or public space(s).

I take proactive security and safety measures across all devices and practices at all times.

But I'm not immune and I'm not as well resourced, networked and smart as the growing legion of bad actors, developers, threat agents and state-sponsored entities the invisibly roam ambient space.

I'm always under some form of surveillance, even when I sleep. So are most of you.

Technology and devices are the gateway. More people need to understand these basics first.

In sum, 'connected' means watched, accessible and vulnerable.

Most software, devices and innocuous 'things' that connect are insecure-by-design.

That is, design, manufacture and sales/profits necessitate the fastest, cheapest and most expedient release....not protection from current and future adroit predators, bad actors, states or criminals.

Then we force them all to connect and 'play' with each other...further weakening protection and promoting greater access, sharing, bargaining, etc.

What was a simple, cheap industry/operational control made offshore, is now a global network of thousands of devices that can shunt, open/close or manage critical infrastructure for evil means.

Your home and business is increasingly becoming a playground for good intent and bad actors or behaviours too.

Regulation and governments won't fix this until you fix your issues(s).

The first step is being aware how delicious you, your data, your information and your behaviour is to hungry predators roaming the online jungle for food and reward(s)....particularly large cornucopias such as government or corporate data

Kerckhoffs's principle

a?cryptosystem?should be secure, even if everything about the system, except the?key, is public knowledge.

Tony Ridley MSc CSyP MSyl M.ISRM

Security, Risk, Resilience, Safety & Management Sciences