The article below, by Tom Malcolm, Head of UK Cyber at New Dawn Risk, was originally published in Insurance Day magazine on 3rd February 2020.
Most people look forward to retirement, and many have a ‘bucket list’ of ideas for what they want to do.
However, in the rapidly moving world of cyber risk, one fact of growing importance that is regularly missed by new retirees is that the withdrawal of the corporate umbrella also means the withdrawal of corporate cyber protection. Once the company laptop and phone are handed in, retirees are on their own with IT, and will, possibly for the first time in their lives, have to navigate their own way through the murky waters of cyber safety.
A critical multiplier of this problem is that not-for-profit organisations which interact with the retired community tend to have much lower levels of cyber protection than actively commercial companies. This means that this area is high risk and yet also severely under-protected – an almost perfect storm of increased vulnerability.
Most people who retire want to try something new, and the most common list of ideas includes taking holidays, volunteering or joining a club.
Unfortunately, all of these activities are characterised by high levels of cyber risk. Take travel. With 81% of holidays being booked online (Association of British Travel Agents) it is estimated that only 29% of travel sites offer full protection against phishing attempts. Holiday money firm Travelex was subject to a large-scale ransomware attack in January 2020. Although denied by Travelex, the hackers claim they had been in the Travelex systems for six months and had taken 5GB of sensitive customer data.
Meanwhile, local clubs and volunteer organisations also carry high data risk for participants. Almost all clubs and volunteer organisations have extremely low levels of data protection and limited cyber awareness. Payment protocols for club membership fees can be very insecure. Sports and social clubs and the like often have amateur committees, which leave levels of cyber awareness low-level and subject to chance. For example, if the club treasurer’s computer gets hacked, the direct debit and payment details of all members can quite easily be accessed.
With the exception of a few of the largest, very few charities also have the manpower to manage and protect fully against cyber risk. At their core, charities are looking to help the people they serve. This is done by maximising the money spent on their chosen sector and so additional spend and allocation of time on other security matters is limited.
But at the same time, they hold funds as well as personal, financial and commercial data. There are signs that this risk is now being recognised. The number of charities who treat cyber security as a high priority has gone up to 75% in 2019, compared with just 53% the year before, and is now at the same level as businesses.
With good news at the charity level, individuals here can help widen awareness of the issue by focusing on cyber security for any small community organisations that they’re involved in, and by asking whether some form of protection can be afforded.
Ill health and social care
Many older retirees have issues with health, mobility and care. People become more vulnerable, and yet the organisations that they interact with are not famed for their ability to protect the people they look after from hacking and related issues.
Hospitals and doctors’ surgeries have been at the centre of large-scale hacking incidents more than once, while care homes are acknowledged as often lacking strong central IT resources, let alone the risk factors that come from large numbers of care workers having direct access to residents’ belongings, including bank cards and data. A glance at the findings of Australia’s recent Royal Commission on care for the elderly gives some horrifying evidence of how regularly those who live in homes can be preyed upon by the teams that are supposed to care for them.
Individuals can do little to influence hospitals or doctors’ surgeries, but here the risks have become more well-known since the 2017 Wannacry attack paralysed 60% of NHS services. We are all reliant on both private and NHS organisations investing in cyber protection and ensuring that they prioritise the safe management of patient data. Of course, it is worth considering that private medical facilities are in some ways more of a risk than the NHS because, although better funded, they will hold details of patients’ payment information alongside their medical records, doubling the impact for those involved.
Creating a cyber shield
Those who are cared for at home will also be vulnerable. They are often alone, accessible to casual visitors, and with their bank details and cash available to anyone who visits the home. The risks are obvious, but what is less clear is how to take action to build a complete protective shield around the growing retired community, helping them to ensure that they, their data and their finances are protected throughout the later years of their lives.
Families cannot shoulder the whole burden. So, what can those businesses who work with the elderly do to protect their community? Care homes are a particularly vulnerable part of the front line, as they hold a huge amount of PII (Personally Identifiable Information) data on their patients. Much work could be done here, in terms of increased training and awareness for care home staff and for families of residents, combined with an up to date and well-maintained IT infrastructure. Insurance coverage also needs to be increased, with a step change needed in residential home groups awareness of the need to protect their residents from cyber risk at every level.
Solutions can be found
Action is needed, and the insurance industry can help with this. Care homes, private hospitals and charities are at the front line. All of them need to tighten their cyber protections, and also develop greater awareness of the need to knit together full protection for the people in their care. Let’s work with these groups to build their educations and protection as much as we can.
Tom Malcolm is Head of UK Cyber at New Dawn Risk
The original article can be viewed here