How many online accounts did you open during the pandemic? A new survey examines the impact of this digital surge on risk to consumers and businesses alike.

The unexpected nature of a global pandemic that washed over the entire world left everyone scrambling to maintain their daily activities and work as best they could. With stay-at-home orders that lasted for months on end, most people resorted to consuming services and ordering goods online, encompassing everything from groceries to telemedicine and working remotely. In the process of having to shift to being remote or indoors more than not, companies opened up their doors to digital experiences and most people opened numerous new accounts with vendors they never used before. But this account boom can come at a cost to security in the long run.

A new global survey from IBM found that consumers’ reliance on digital channels has indeed increased significantly during the pandemic. With individuals creating an average of 15 new online accounts during the pandemic, billions of new accounts were likely created around the world. How will this digital shift impact the security and privacy landscape moving forward? If you’re thinking a growing attack surface and readily available leaked accounts, you’re on the right track.

A digital account boom has led to password fatigue

Society’s reliance on email/password combinations and the overall growth in new online accounts is causing people to resort to lax password behaviors. Roughly, 82% of consumers admitted to reusing credentials at least some of the time.

Side Effect: The majority of the new accounts created likely relied on reused email/password combinations that may already have been exposed in data breaches over the past several years. This means that whatever new accounts a person has are going to be easily compromised by past breaches that happened before that account was ever set up.

Remedy: Shifting to more modern forms of authentication should become a priority for companies. That includes offering two-step or multifactor authentication for accounts. For consumers, it is highly recommended to always enable two-step authentication where possible, and the preferred method is using an authenticator app versus codes sent by SMS.

Convenience outweighs security and privacy concerns

The security versus convenience conundrum is a dated one. In a past survey that looked at the authentication methods people preferred, IBM found that preferences for security were rated highest on users’ financial accounts and gradually gave way to convenience across online marketplace apps and social media. It was not surprising to learn that in our current survey, millennials continue to gravitate toward convenience when it comes to digital ordering — in fact, more than half say they would rather place an order using a potentially insecure app or website versus call or go to a physical location in person (51%).

Side Effect: With users more likely to overlook security concerns for the convenience of digital ordering, the burden of security falls more heavily on the companies providing these services.

Remedy: Users expect security to be inherent to the services they consume and provided in a transparent way. In a past survey, IBM found that about 25% of millennials will also move on from a breached provider to a competitor. It is important to deploy services that allow users to boost their own security, like enabling two-factor authentication or biometric logins, and to integrate identity and access solutions that can protect customer accounts in a seamless way.

Diving deeper into digital health care channels

Approximately, 63% of consumers engaged with COVID-19-related services via digital channels — from web, to mobile apps, email and even text messages — and are not always aware of the privacy and personal health data implications.

Side effect: Health care providers can use this momentum to up their digital engagement with patients moving forward, offering greater efficiency and more accessible information to patients. But to maintain digital trust, providers must ensure the right security measures are in place to keep patient data private and protected.

Remedy: Due to the nationwide public health emergency instated during the COVID-19 pandemic, official guidance was relaxed around how health care providers communicate with patients via telehealth, but restricted platform choice to non-public facing ones, in order to remain mindful of HIPAA implications. It is important for all care providers to review the requirements and set up the properly controlled telehealth infrastructure that can enable them to remain compliant and safeguard patients’ personal health information.

Paving the way for digital ID?

The concept of vaccine passports introduced consumers to a real-world use case for digital credentials, which offer a technology-based approach to verify specific aspects of our identity. And, 65% of our survey respondents say they are now familiar with the concept of digital credentials, and 76% are likely to adopt the method.

Side effect: The exposure to digitized ID methods may help spur wider adoption of modernized systems of digital ID, offering individuals a way to share only the specific information needed versus excess information found on traditional IDs (passports, drivers’ licenses, etc.) That said, it will be critical to harden digital identity applications against existing compromises of the actual device and protect data inside the apps and as it travels between recipients of the credentials.

Remedy: Securing applications on mobile devices is a critical step in releasing apps to the consumer and business marketplace. One way to ensure apps are more secure is to test them by hackers who provide an attacker’s point of view and can find the ways by which malicious outsiders may try to compromise the app. Another important step is ensuring that the apps themselves are not counterfeited to present fake information. To that effect, blockchain solutions can help verify credentials in a centralized manner and prevent forgery.

Digital side effects will linger post-pandemic:

Will this account boom subside once we go to a more normalized lifestyle after the pandemic? Apparently not quite. Of our survey respondents, 44% do not plan to delete or deactivate the new digital accounts they created during the pandemic.

Side Effect: From banking, to groceries, retail and restaurants, respondents said they will rely more heavily on digital versus physical channels after the pandemic compared to how they used apps prior. While this shift can provide efficiencies for both businesses and consumers, companies must ensure their security is designed to support this growth.

Remedy: Businesses that saw a huge surge in new online users during the pandemic also became more attractive targets to cyber criminals and must reevaluate their technologies and strategy accordingly. That includes an evaluation of the digital infrastructure that supports growth and how it is being secured in terms of staff and technological controls, especially in the cloud. With the threat of data theft and extortion, the rising numbers of customers translate into increasing amounts of data each provider manages, calling for a fresh approach to data encryption and safeguarding.

How organizations can adapt to shifting consumer security landscape

  • Zero trust approach: Given the increasing risks, companies should consider evolving to a zero trust security approach, which operates under the assumption that the security of an identity, or the network itself, may already be compromised, and therefore continuously validates the conditions for connection between users, data and resources to determine authorization and need. Going beyond allowing access to an identity or a resource, the context of access is also scrutinized and is checked continually to limit potential compromise and the scope of a breach.
  • Modernizing consumer identity and access management: For companies that want to continue leveraging digital channels for consumer engagement, providing a seamless authentication process is key. Investing in a modernized Consumer Identity and Access Management (CIAM) strategy can help companies increase digital engagement — providing a frictionless user experience across digital platforms and using behavioral analytics to decrease the risk of fraudulent account use. We refer to this approach as silent security: a process that remains invisible to the user by applying advanced, behind-the-scenes technology to investigate and authenticate users in real time. CIAM solutions that support a silent, frictionless experience may rely on adaptive access controls to screen for risky behavior. These controls adapt to changing factors in the user’s location, device or even their behavior (e.g., How are they holding the device? Are they striking the keys harder than usual?). Adaptive access controls are part of a new generation of CIAM solutions that can protect users while preserving a great customer experience.
  • Data protection & privacy: Having more digital users means that companies will also have more sensitive consumer data to protect. With data breaches costing companies $3.86 million on average, organizations must ensure that strong data security controls are in place to prevent unauthorized access — from monitoring data to detecting suspicious activity to encrypting sensitive data wherever it travels and rests. Companies should also implement and communicate the right privacy policies in order to maintain consumer trust.
Learn more on zero trust

More from X-Force

Q&A with Valentina Palmiotti, aka chompie

4 min read - The Pwn2Own computer hacking contest has been around since 2007, and during that time, there has never been a female to score a full win — until now.This milestone was reached at Pwn2Own 2024 in Vancouver, where two women, Valentina Palmiotti and Emma Kirkpatrick, each secured full wins by exploiting kernel vulnerabilities in Microsoft Windows 11. Prior to this year, only Amy Burnett and Alisa Esage had competed in the contest's 17-year history, with Esage achieving a partial win in…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today