How many online accounts did you open during the pandemic? A new survey examines the impact of this digital surge on risk to consumers and businesses alike.

The unexpected nature of a global pandemic that washed over the entire world left everyone scrambling to maintain their daily activities and work as best they could. With stay-at-home orders that lasted for months on end, most people resorted to consuming services and ordering goods online, encompassing everything from groceries to telemedicine and working remotely. In the process of having to shift to being remote or indoors more than not, companies opened up their doors to digital experiences and most people opened numerous new accounts with vendors they never used before. But this account boom can come at a cost to security in the long run.

A new global survey from IBM found that consumers’ reliance on digital channels has indeed increased significantly during the pandemic. With individuals creating an average of 15 new online accounts during the pandemic, billions of new accounts were likely created around the world. How will this digital shift impact the security and privacy landscape moving forward? If you’re thinking a growing attack surface and readily available leaked accounts, you’re on the right track.

A digital account boom has led to password fatigue

Society’s reliance on email/password combinations and the overall growth in new online accounts is causing people to resort to lax password behaviors. Roughly, 82% of consumers admitted to reusing credentials at least some of the time.

Side Effect: The majority of the new accounts created likely relied on reused email/password combinations that may already have been exposed in data breaches over the past several years. This means that whatever new accounts a person has are going to be easily compromised by past breaches that happened before that account was ever set up.

Remedy: Shifting to more modern forms of authentication should become a priority for companies. That includes offering two-step or multifactor authentication for accounts. For consumers, it is highly recommended to always enable two-step authentication where possible, and the preferred method is using an authenticator app versus codes sent by SMS.

Convenience outweighs security and privacy concerns

The security versus convenience conundrum is a dated one. In a past survey that looked at the authentication methods people preferred, IBM found that preferences for security were rated highest on users’ financial accounts and gradually gave way to convenience across online marketplace apps and social media. It was not surprising to learn that in our current survey, millennials continue to gravitate toward convenience when it comes to digital ordering — in fact, more than half say they would rather place an order using a potentially insecure app or website versus call or go to a physical location in person (51%).

Side Effect: With users more likely to overlook security concerns for the convenience of digital ordering, the burden of security falls more heavily on the companies providing these services.

Remedy: Users expect security to be inherent to the services they consume and provided in a transparent way. In a past survey, IBM found that about 25% of millennials will also move on from a breached provider to a competitor. It is important to deploy services that allow users to boost their own security, like enabling two-factor authentication or biometric logins, and to integrate identity and access solutions that can protect customer accounts in a seamless way.

Diving deeper into digital health care channels

Approximately, 63% of consumers engaged with COVID-19-related services via digital channels — from web, to mobile apps, email and even text messages — and are not always aware of the privacy and personal health data implications.

Side effect: Health care providers can use this momentum to up their digital engagement with patients moving forward, offering greater efficiency and more accessible information to patients. But to maintain digital trust, providers must ensure the right security measures are in place to keep patient data private and protected.

Remedy: Due to the nationwide public health emergency instated during the COVID-19 pandemic, official guidance was relaxed around how health care providers communicate with patients via telehealth, but restricted platform choice to non-public facing ones, in order to remain mindful of HIPAA implications. It is important for all care providers to review the requirements and set up the properly controlled telehealth infrastructure that can enable them to remain compliant and safeguard patients’ personal health information.

Paving the way for digital ID?

The concept of vaccine passports introduced consumers to a real-world use case for digital credentials, which offer a technology-based approach to verify specific aspects of our identity. And, 65% of our survey respondents say they are now familiar with the concept of digital credentials, and 76% are likely to adopt the method.

Side effect: The exposure to digitized ID methods may help spur wider adoption of modernized systems of digital ID, offering individuals a way to share only the specific information needed versus excess information found on traditional IDs (passports, drivers’ licenses, etc.) That said, it will be critical to harden digital identity applications against existing compromises of the actual device and protect data inside the apps and as it travels between recipients of the credentials.

Remedy: Securing applications on mobile devices is a critical step in releasing apps to the consumer and business marketplace. One way to ensure apps are more secure is to test them by hackers who provide an attacker’s point of view and can find the ways by which malicious outsiders may try to compromise the app. Another important step is ensuring that the apps themselves are not counterfeited to present fake information. To that effect, blockchain solutions can help verify credentials in a centralized manner and prevent forgery.

Digital side effects will linger post-pandemic:

Will this account boom subside once we go to a more normalized lifestyle after the pandemic? Apparently not quite. Of our survey respondents, 44% do not plan to delete or deactivate the new digital accounts they created during the pandemic.

Side Effect: From banking, to groceries, retail and restaurants, respondents said they will rely more heavily on digital versus physical channels after the pandemic compared to how they used apps prior. While this shift can provide efficiencies for both businesses and consumers, companies must ensure their security is designed to support this growth.

Remedy: Businesses that saw a huge surge in new online users during the pandemic also became more attractive targets to cyber criminals and must reevaluate their technologies and strategy accordingly. That includes an evaluation of the digital infrastructure that supports growth and how it is being secured in terms of staff and technological controls, especially in the cloud. With the threat of data theft and extortion, the rising numbers of customers translate into increasing amounts of data each provider manages, calling for a fresh approach to data encryption and safeguarding.

How organizations can adapt to shifting consumer security landscape

  • Zero trust approach: Given the increasing risks, companies should consider evolving to a zero trust security approach, which operates under the assumption that the security of an identity, or the network itself, may already be compromised, and therefore continuously validates the conditions for connection between users, data and resources to determine authorization and need. Going beyond allowing access to an identity or a resource, the context of access is also scrutinized and is checked continually to limit potential compromise and the scope of a breach.
  • Modernizing consumer identity and access management: For companies that want to continue leveraging digital channels for consumer engagement, providing a seamless authentication process is key. Investing in a modernized Consumer Identity and Access Management (CIAM) strategy can help companies increase digital engagement — providing a frictionless user experience across digital platforms and using behavioral analytics to decrease the risk of fraudulent account use. We refer to this approach as silent security: a process that remains invisible to the user by applying advanced, behind-the-scenes technology to investigate and authenticate users in real time. CIAM solutions that support a silent, frictionless experience may rely on adaptive access controls to screen for risky behavior. These controls adapt to changing factors in the user’s location, device or even their behavior (e.g., How are they holding the device? Are they striking the keys harder than usual?). Adaptive access controls are part of a new generation of CIAM solutions that can protect users while preserving a great customer experience.
  • Data protection & privacy: Having more digital users means that companies will also have more sensitive consumer data to protect. With data breaches costing companies $3.86 million on average, organizations must ensure that strong data security controls are in place to prevent unauthorized access — from monitoring data to detecting suspicious activity to encrypting sensitive data wherever it travels and rests. Companies should also implement and communicate the right privacy policies in order to maintain consumer trust.
Learn more on zero trust

More from X-Force

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today