Home Tell a Friend! Contact ICFE Link Exchange Search ICFE Subscribe ICFE About the ICFE
ICFE News Releases ICFE in the News Children and Money Financial Education Personal Financial Counseling with Paul S. Richard, RFC Credit Card Tips Credit File Correction Mending Spending Links and Resources Order Options

ICFE eNEWS #17-35 - Decmber 12th 2017

Identity Theft Risk Management and Cyber-Security: Connecting the Dots

By Yan Ross, Director of Special Projects, ICFE

Article originally appeared in November 2017 version of Cyber Defense eMagazine

In recent years, media coverage and public perception of identity theft risk management has begun to be overshadowed by reports of cyber-security threats and responses. Large-scale data breaches have grown as identity thieves and other abusers of sensitive information have become more sophisticated and have used high-tech means to exploit weaknesses in hardware and software applications.

In this context, cyber security is a relative latecomer, but it's clear that IT solutions have taken a central role in defending against cyber hackers. Where is this going? To respond, it's important to address the question "Why do hackers hack?"

"Why do I rob banks?
Because that's where the money is!"
- Willie Sutton

Repositories of big data are the new banks. There are principally three types of hackers, and their exploits mirror those of garden-variety identity thieves.

1. Hacking for financial gain. This includes the sale of sensitive information, which may sell for pennies (like Social Security numbers) or tens of dollars (like medical records and insurance information, and many other elements of Personally Identifiable Information (PII) for in-between prices.
2. Hacking for political purposes. This includes both state-sponsored and terrorist exploits, for both access to sensitive information and the distribution of disinformation, as well as unauthorized modifications and denial of service attacks on web sites.
3. Thrill-seekers. No longer limited to the skateboard set living in Mom's basement, but other sophisticated criminals who apparently experience enjoyment and peer adulation by stealing sensitive information and causing general online havoc.

To some extent, it is tempting to "fight fire with fire," and respond to cyber threats exclusively with cyber defenses. In a perfect world, this would seem to make sense. In some cases, that works even in the real world, and an application or software fix or patch can often overcome a specific cyber security exploit or technical vulnerability.

However, beyond cyber-based data breaches, schemes to gain access through non-technical individuals have proliferated, resulting in growth in both the number and costliness of cyber-attacks. In the midst of all this threat spectrum, human vulnerability is still the leading entry point of identity theft and data breaches. Numerous recent surveys report that the vast majority of data breaches are rooted in phishing exploits and are successful due to human failure.

Schemes such as social engineering and other manipulations designed to inveigle individuals into launching malware or executable files, and accessing bogus web sites, are often the means used by cyber criminals. Think of a seemingly innocuous e-mail request to update account information for an active account, but with a link to a similar-sounding web site controlled by the cyber criminals, in actuality the means to capture the username and password of the victim.

Regardless of the illicit objectives, the necessary defenses must include both IT responses and education of the broader population of organizations and consumers. Without getting all non-IT users to practice good "cyber hygiene," it is unlikely that the cyber defense system will be successful. As long as there is a human being with a keyboard and a mouse, and access to the system, cyber defenses alone will leave vulnerabilities.

This state of affairs has been referred to as "asymmetrical warfare," in which the opposing sides play by different rules and have different standards of success. The defenders must prevail 100% of the time, while the attackers need only enjoy the occasional success to win.

In practice, the most successful cyber defense is a thoughtful combination of IT methods and education of employees and other users who may have access to sensitive systems and data. One example is the human factor in failing to keep all software programs up to date with important patches to combat perceived and discovered vulnerabilities. Another is the importance of keeping all users up to date on the latest methods used by cyber criminals and identity thieves. The established methods of managing the risks of identity theft, especially through education, are the most likely to be used successfully in conjunction with cybersecurity applications.

For the time being, both IT solutions and user education must be employed together in order to craft an effective defense against cyber criminals. Coordination of these two approaches can best be accomplished by educating general users to recognize and avoid the predations of cyber criminals and identity thieves, as well as providing the technical professionals with a solid understanding of the non-technical vulnerabilities involved. In this way, the desired result of fighting cyber-attacks to a standstill is most likely to be successful.

Looking ahead, it's important to remember that the internet as a system was not originally intended to serve as a platform for commercial transactions and a system to carry all types of private and personal communications, much less as a command-and-control facility. Essentially, today it's a leaky ship with a fast-growing number of holes, and the patches amount to a crazy-quilt of Band-Aid fixes. Until the entire platform can be separated or replaced with one or several more suited to the kind of integrated security systems that can assure that human failure is not possible, there will be no end to cyber exploits.

One further observation is in order about the future of identity theft and cyber attacks: Current projections of up to 2 million new cybersecurity jobs will be created in the next 4-5 years. How many of these may be made redundant by AI applications? Are we preparing to fight the last war? How will identity theft risk managers work together with cybersecurity professionals to meet this growing threat, now and in the future?

Yan Ross Bio PhotoYan Ross is ICFE's Director of Special Projects, and the author of the Certified Identity Theft Risk Management Specialist ® XV CITRMS® course. As an accredited educator for over 20 years, he has addressed Identity Theft Risk Assessment and management for consumers, organizations holding personally identifiable information, and professionals who work with individuals and organizations who are at risk of falling victim to identity thieves.

The ICFE's Certified Identity Theft Risk Management Specialist ® XV CITRMS® course is now available both in printed format and online.

The Textbook and Desk Reference edition of the course book is also available online. Bulk pricing and discounts for veterans and students available. Inquire at yan.ross@icfe.info

Paul S Richard PhotoICFE eNEWS is available FREE upon request by visiting our Web site and filling out the contact form, and selecting "Yes" for "Add to Mailing List. Please pass this eNEWS on to your peers and interested others and invite them to subscribe for free. Also, visit the ICFE's new Web site: StudentDebtHelp.org

Sent by:

Paul S. Richard
President - Executive Director
Institute of Consumer Financial Education (ICFE)

About the ICFE:

The Institute of Consumer Financial Education (ICFE) was founded in 1982 by the late Loren Dunton (creator of the Certified Financial Planner (CFP) designation and founder of the College for Financial Planning in Denver, CO.) The ICFE is dedicated to helping consumers of all ages to improve their spending practices, increase savings and use credit more wisely.

The ICFE is an award winning, nonprofit, consumer education organization that has helped millions of people through its financial continuing education courses programs and resources. In addition to eight Certification courses covering identity theft, credit files, credit repair and credit scoring, among others, it also publishes the Do-It-Yourself Credit File correction Guide, which is updated annually. The ICFE has distributed over one million Credit/Debit Card Warning Labels and Credit/Debit Card Sleeves world wide.

The ICFE is a partner with the national Jump$tart Coalition for Financial Literacy and the California Jump$tart chapter. The ICFE staff is also active with San Diego Saves and Military Saves, both offshoots of America Saves.

The ICFE is also an on-line help for consumers who spend too much. ICFE's spending help was featured in PARADE Magazine in the Intelligence Report section. The money helps and tips are from the ICFE's Money Instruction Book, our course in personal finance.

The ICFE helps consumers and students with mending spending, learning about the proper use of credit, budget and expense guidelines, how to set up and implement a spending-plan and also how to access financial education courses and how to teach children about money. Other ICFE services include: Ask Mr. G library, a free eNews service, and an online resource center for students, parents and educators, plus financial education learning tools in the ICFE Book Store.

Home ] ICFE News Releases ] ICFE in the News ] Children and Money ] Financial Education ] Resource Center ] Credit Card Tips ][ Credit File Correction ] Mending Spending ] Links and Resources ]  [ Online Store ]


Copyright ©  1997 - by Paul S. Richard
and the Institute of Consumer Financial Education, All Rights Reserved.
View our
Privacy Policy Our Terms and Conditions

Institute of Consumer Financial Education
PO Box 34070
San Diego, Ca 92163
Paul S. Richard, Executive Director
Phone 619-239-1401

FAX 619-923-3284

Questions for www.financial-education-icfe.org Click to go to Website Contact Us or 

Website Design Donated by Daniel G Hughes Fresno and Half Price Toner Refills

Please Tell An Associate, Friend or Family Member About the ICFE