In this guest post, Darren Reid (lead image), VMware’s Security Business Unit Director, Australia & New Zealand, offers his tips on how consumers, companies and governments can better protect their critical data to minimise the impact of cyber security breaches.

Several high-profile data breaches last year (and more recently) showed us, once again, just how easy it is for sensitive information to end up in the hands of those who would use it for criminal activity and financial gain. But it really doesn’t have to be this way.

The lead-up to the Christmas period no doubt saw many of us fork out our personal information to businesses we wanted to buy goods from but might have never dealt with previously. That’s what a big part of the online shopping experience is: filling in webforms about ourselves.

But would you hand over the same sort of personally identifiable information when you walk into a shop and buy something in person? Probably not.

Let’s take a moment to think about the information we willingly hand over on a regular basis. Have you shared your date of birth in an online form recently? What about your address or your driver’s licence number? How about your Medicare number? If you have, it’s possible you’ve handed over 100 points of identification without even realising it.

This is where it gets tricky, because 100 points of identification is often all a cybercriminal needs to steal someone’s identity and commit fraud under their name. This is just one of the reasons why the data breaches that hit the headlines last year were so troubling.

It seems that too many businesses have got into the habit of collecting information about their customers without really giving much thought to why they need it and how they’ll use it. Likewise, many of us have become all too comfortable with handing over personal information when we’re asked for it without questioning why.

Guess what? A lot of the personal data collected by companies for the demographic information used in targeted marketing efforts isn’t even that relevant anymore. COVID-19 saw to that, with consumer buying habits no longer adhering to historical norms and expectations.

What does this mean for businesses and individuals?

Well, for starters, it means businesses probably don’t need to ask for much of the personal information they currently hold, and it means consumers probably don’t need to offer it. In fact, a widespread rethink about how we use personal data could end up seeing consumers, businesses and governments working together to keep it safer.

Here’s what consumers, businesses and governments can do to improve personal data safety:

Consumers

I’m a consumer, you’re a consumer; we’re all consumers. While businesses and governments can probably do more to keep consumers’ personal information safe, there’s quite a bit we can do ourselves as well. After all, it’s our information, let’s take some ownership and responsibility for it.

As a starting point, we can choose not to share information if it’s not relevant to a transaction. It’s fine to leave out any non-essential information from online web forms. If an online retailer doesn’t give you a choice as to what information you share and what information you don’t, perhaps you can find the item you’re after elsewhere.

If you do have to provide personal information, be aware of what you’re sharing and how it might be used. If you’re not comfortable with sharing something, you can probably get away with falsifying it. If there’s no official reason for an organisation to know your date of birth or address, for example, make it up. It’ll be one less piece of personal information out there.

There are other ways to keep your personal information from getting into the wrong hands. It takes just seconds to set up a standalone email address for use when checking out online. Moreover, prepaid debit cards or low-value credit cards can be used to minimise the potential exposure of sensitive data.

Companies

For their part, businesses should review the data they request and collect to identify how much of it is actually needed. This is a first step to minimising the potential fallout if data is breached. A lot of demographic data is not as useful or even as accurate as it once was. If it’s not needed, destroy it. Simple.

Even if sensitive information is collected for customer personalisation that goes beyond conventional demographics, there are ways to minimise the risk of potential exposure. For starters, businesses can encrypt data that’s sensitive or personally identifiable. This protects data and makes it less appealing to cyber criminals, as it becomes essentially useless if stolen.

Credit checks or identification verification are two areas in which personal information is a legitimate requirement. But businesses don’t necessarily have to do this themselves. There are plenty of third-party credit verification providers that are typically held to higher standards when it comes to protecting the data they possess than organisations in other sectors.

Governments

State governments have long held plenty of personal information about their citizens, as has the federal government. Government bodies are held to a much higher standard when it comes to the data they possess than most businesses in the private sector. There’s a good reason for this. Governments hold a lot of personal data about us. But they also provide the services we use every day and issue essential items such as driver’s licences and other forms of identification.

If governments already hold this data, why not offer identification verification-as-a-service? We are already seeing NSW State Government offering some limited verification services which, when combined with the new digital ID offerings, both limit the likelihood of information being stolen but, equally, improve the speed with which the government can reissue IDs in the event of a breach. This type of offering is something that needs to be delivered across the country.

The reality is that it’s probably safer for a government to hold that data than it is a private organisation. Not only are governments held to the highest standards when it comes to protecting citizens’ data, there is a certain level of transparency to how that data is used.

Given governments of all types hold our data already and are likely to be called upon to reissue identity documents that are breached, surely it is worth their while ensuring they have an offering that makes the validation of, and the replacement of, personal identity documents safer and more protected.

If we recognise that our data is valuable and we take better care of who we give it to; if the companies that need this data only store as much of it as is absolutely necessary and we have a more rapid way of reprovisioning breached credentials, then we are all in a better place for 2023 and beyond.