As a simple metric, the FBI has seen a fourfold increase in cybersecurity complaints. At the same time, the global losses from cybercrime exceeded $1 trillion in 2020.

The world post-2020 isn't quite the same. While the digital transformation is accelerating, executives still need to figure out ways to secure their digital assets and teams.

2021 PwC survey on CEOs says: "remote working makes cybersecurity a top worry."#

The PwC underlines that focusing security efforts on risk dashboards, surveillance and technical initiatives remains tempting. CEO and CISO know how to account for those investments.

According to PwC, around half of CEOs plan increases of 10% or more in their long-term investment in digital transformation. Paradoxically, despite the level of concern CEOs registered about cyberattacks, just under half of those planning for heightened digital investment is also planning to boost their spending on cybersecurity and data privacy by 10% or more.

The PwC report stresses that "leaders who are serious about cybersecurity need to embrace simplicity in their strategic dialogue about their business models, ecosystems and in-house processes".

Read more about the PwC 2021 report.

A look at the five biggest cybersecurity threats in 2021:#

As cyber threats become sophisticated, it becomes illusory to think that a technical fix would do the job. People, teams, management, and suppliers, customers, every node of the network ought to be onboarded.

Security Magazine builds down the five cybersecurity risks as:

• Social engineering - Social engineering techniques account for a third of all breaches in 2020. 90% of social engineering hack is based on phishing. Spear phishing attacks are behind 95% of breaches in enterprise networks, according to Cisco.
• Ransomware - In 2020, combined ransomware demands reached $1.4B. Ransomware ranks as the third most popular malware causing data breaches.
• DDoS attack - Just for the first half of 2020, there were 4.83M DDoS attacks attempted. Besides increasing traffic, cybersecurity experts stress that criminals use AI to perform DDoS. Remote workforces became highly dependent on online services. Any failure of those may cost even more to businesses.
• 3rd party software - Besides hammering your business reputation, the data breach caused by a third party costs $4.29M on average. The third-party vendor ecosystem becomes a pool of vulnerabilities.
• Cloud Computing Vulnerabilities - while the cloud computing market keeps growing rapidly, the attempted breaches grew by 250% compared to 2019. Cloud systems are also critical components of DDoS attacks.

Read more about it on Security Magazine.

Keep in mind, employees are not the same at home#

To delve further into corporate security solutions, CISO Jonathan (Jony) Fischbein has inspiring words. One of the main point to bear in mind is that "employees are not the same" when they are at home. Not only because of mixing professional and private time-spaces, their mental awareness, work implication, or feeling of security are different from the days they have badged to enter their office.

"Nobody is looking" when we work from home. Internet accesses or multitasking practices are not to ban or forbid. But we shall bear in mind that they add a fair amount of risk to your organization.

Jony Fischbein coins these times as "Pandemic Security" times.

More on Cyber Talk.

So here is what to protect, and when.#

Experts gathered by Sloan note that cybersecurity is shifting away from a perimeter-based model where all assets inside a network are trusted. Instead, zero-trust architectures, where individual devices and applications are always authenticated and authorized before gaining access to a network, need to become the norm.

Regarding digital assets to care for, consider:

• identities and credentials
• data, in its different states (at rest, in move, in use)
• code

As for exposure points, consider:

• storage
• run-time
• transfer

Continue reading the details on Security Magazine.

Personal medical information are the cornerstone of relevant eHealth, and yet remain unmanaged.#

Who gets to host - and provide remote access to - patients medical data?#

Each and every medical expert and organisation holds dear to the patient data they host. And they have to. But each part of the patient data portfolio remains to be enriched with the rest of the information. With services increasingly requiring access to patient's medical data, the responsibility over medical data custody is scattered.

Yes, the patient should be in charge. But is the patient literate enough to handle health data properly?#

All field experts and governments agree.The legitimate custodian of medial data is the patient him/herself (or his/her legal tutor). But everyone also concurs on that patients are rarely equipped or taught how to carefully handle their data.

With Consento, handle patients' medical data in a shared responsibility custody.#

With Consento app, the medical data can be stored encrypted on various servers, safely replicated. The encryption key is split into unique parts, that need to be reassembled to decrypt the data set or part of the data set. The patient, the principal physician or the medical institution may each hold parts. All interactions are logged in right into the data custody.

Because security comes as a network, Consento makes it easy to onboard all patients, their close ones and expert users. By putting some humanity back into distributed cryptographic technologies, Consento combines high-level encryption and decreases the possibility of human errors.

Consento diffuses the cost of handling medical data in separated silos, and increases the value to be processed out of datasets shared across selected partners. With Consento, your organisation reputation is safe.

User-centric + co-responsibility + access control in medical datasets.#

Out of the box certified#

Following up in the Next Generation Internet (NGI) series, the Consento team is delighted to be invited at the TETRA Bootcamp 'Scale Up'. NGI is dedicated to the emergence of a more resilient, trustworthy and sustainable Internet.

Aiming for mindful growth#

The bootcamp is crafted for NGI innovators and businesses that aim at accelerating the adoption of their product. At Consento we are exploring verticals for which our technology would bring the most value.

We will keep you posted of the outcome of the bootcamp!

GDPR is a regulation set in Europe, mainly to protect personal data by setting out the rules on how to deal with/transfer data. However, the tricky part is that this regulation goes beyond the border if you deal with personal data linked to users residing within EEA. Comment

Japan is also one of the biggest countries which has numerous business activities between Europe, and we see an increasing awareness of GDPR in Japan. On 27th February, we had an opportunity to give a webinar at Project DS run by Mr. Hiroshi Sonoda from Yamato Logistics, and we introduced the narrative of GDPR in the European context, and how Consento as a startup supported by NGI Ledger program is trying to offer the solution.

“Background of GDPR and European Values on Privacy - Europe’s Frontline Attempt to Create a New Internet Space”#

Since the General Data Protection Regulation (GDPR) was officially launched in Europe in 2018, there has been a lot of focus in Europe on data privacy considerations and the use of decentralized networks such as blockchain. Considering the huge fines for violations and the risk of damaging company’s reputation, it is important that not only European companies but also Japanese companies that exchange data with Europe take action. With presenting the example of Consento developing GDPR compliant data privacy apps, we discussed on the current data privacy situation in Europe right now.

What’s Project DS?#

Project DS is a closed community of 100+ people in various businesses to foster digital transformation in Japan, and the aim is to learn from each other through presentations and networking.

The organizer, Mr. Sonoda is a member of the SAAJ (System Auditors Association Japan), the Institute of Actuaries of Japan, and the ITPS (Japan Management Association). After working for Meiji Yasuda Life Insurance Company’s Information Systems Department, The Meijiseimei Asset Management of America INC (NY), and Yamato Autoworks Co. He has worked as a Board Member, PM, PMO, and Solution Consultant for general-purpose computer system development, Open system development, and AI evangelist. He is also an auditor for an architectural company, a consultant for an IT-related company, a representative for a DX project, and an advisor for public insurance. He has a strong passion for fostering Digital Transformation in Japan.

About 30+ DX enthusiasts participated in our webinar, and we had some very interesting discussions on the Japanese values on data privacy and the issues on privacy mark (The biggest 3rd party certification for data privacy in Japan).

We implemented a survey using 5-point scale after the webinar. According to the feedbacks, 53% of the participants feel the strong relevancy of GDPR to their business and daily work-flow, and 60% feel Japan should implement the strong data privacy policy as GDPR.

Many of them see challenges in Japan’s data privacy compliance policy, and here are some interesting feedbacks.

Perspectives of the webinar participants on privacy data handling in Japan#

Question : "What do you think is a challenge in the way the Japanese government handles data?"

• I have been advocating the need for this for 3 years now, but I feel that there is still a lack of awareness in Japan. I think it will be difficult to penetrate the market unless the government presents a solid sample. The opt-in/out system is not thoroughly implemented, and this can be seen in both of the person presenting and the receiving end. (System Auditor)*
• It costs us a lot of money just to obtain and maintain the Privacy Mark. However, the content of the Privacy Mark seems to be quite late compared to the case study presented here, and the Privacy Mark will probably not be approved if it has to comply with GDPR. The Privacy Mark is supposed to be an organization that examines whether or not personal information is being used in a safe and secure manner, but I felt again that the purpose of the Privacy Mark has become more about collecting money. (IT Coordinator)
• I feel that the protection of personal information in the Diet’s answer is too much, and we should have a discussion on how much we are using big data and whether it is allowed. (Recruiter)
• There are a lot of ambiguous policies, and I get the feeling that the user side is not getting the message. (Sales)
• I think it is necessary to put people in charge who are not dragged down by the organization with specialized knowledge and create a system that transcends interests. (System Engineer)
• Data privacy policy will be a hot topic in the coming years, as governments are expected to shift paper-less.(Administrative Lawyer)
• I feel we tend to care about privacy only when the crisis hits. I also think that the current legal system is too inadequate, and not ready. (Anonymous)
• I felt it would be interesting to differentiate ourselves from Europe by creating a society where data is open and can be used by anyone.(Managing Director)

The benefits of Consento#

All in all, we felt the strong need to show the uncomplicated solution for the Japanese market. Consento provides a user-centric Human Factor Authentication process to secure operations collaboratively based on “Shamir’s Secret Sharing” without the need for passwords and across organizations. Here are the 3 main key features;

1. Decentralized: Consento is a decentralized solution based on peer-to-peer and distributed ledger technologies. There is no centralized server or cloud infrastructure.
2. Password-less: Consento turns your devices into a key, and enables you to build your private MFA (multi-factor-authentication) workflow with your own devices and your trusted relations.
3. No single-point-of-failure: Consento makes authentication more secure through partial keys distributed within your organization (and to your suppliers or customers). No single user is left as a potential point of failure of the system as a whole.

Remote workers bear a great stress in collectively handling the privacy of company data.#

For many of us, remote working is here to stay
Beyond the inconveniency of mixing up personal and professional spheres 24/7, remote working brings along another source of stress for remote workers, and to those in charge of maintaining the company data privacy. Now that devices are connected and used outside the company network, the risk of mishandling passwords or using unsecure networks has become higher than ever.

Ownership v/s Controllability - "(data) ownership has turned out be a double-edged sword. It can be taken to motivate marketization, to harness the economic potential of data, and to put data subjects in a position to sell their data and thereby to receive a share in the value that gets generated from it. But at the same time, at least some versions of data ownership also pose significant constraints on this undertaking. Two worries are that intimate things are being alienated, and that losses of control loom for data subjects once their data is introduced into the market. As a consequence, care should be taken that marketization aligns with—rather than undercuts—the ideal of controllability." (Hummel, Braun & Dabrock ; 2020:26)

Who should bear the stress of company data privacy?
No matter how much technology the company might invest in, the human factor remains a key point of failure for the company data security. It is also the key to company data security itself.

With Consento, distribute and manage the responsibility of confidential data security.#

With Consento app, access to confidential data and company services is secured with the help of co-workers. Even for the work done outside the company secured network, the responsibility of handling company secrets is distributed and the stress of a single person mishandling it is reduced. Consento app enables HR and IT departments to easily onboard all employees, if not suppliers and business partners.

User-centric + co-responsibility + access control in your workplace management.#

Out of the box certified#

Consento will work on your current devices and online services.#

Being the custodian for contractors' CV or identities adds to the burden of coordinating agencies.#

Having to hold the custody of other's digital identities is timely, if not costly in human error.
Most of companies relie on a netwrok of external contractors and suppliers, for translation work, transcription, accounting, legal work, etc. Building a trustworthy partnership often starts with verified credentials, or asking for referals, in order to discard fraudulent candidates. Eventually, these verified CVs and confidential data about contractors become too valuable to be losely shared over emails or cloud services. The agency's reputation depends on it.

Translation Scammers - "As a whole, CV theft and translator impersonation are some of the most widespread scams. In 2017 alone, Translation Scammer exposed 5,055 new scammer IDs. That’s 36 new scammer IDs per month." (Word Connection Japanlization ; 2020:26)

The contractor should not ruin the agency's privacy efforts by using online tools either.
How often do freelance translators or transcriptors end up using online tools by conveniency? In doing so, they put the agency's efforts to keep data confidential at risk. Onboarding freelancers to develop a simple security and privacy hygiene ends up being costly. In the end, the agency resolves to share the information and guidances and just hopes for the best.

With Consento, embed data security and authenticity within your network of contractors.#

With Consento app, the verfied credentials of the one at the origin of the CVs or confidential information are linked to the shared files themselves. Consento makes sure that the proofs of identity are kept up-to-date. All the files remains encrypted between parties, accessible only to selected parties, who may access the data only on your consent.

Because security comes as a network, Consento makes it easy to onboard all contractors, even the least tech-savvy. By putting some humanity back into distributed cryptographic technologies, Consento combines high-level encryption and decreases the possibility of human errors.

Consento difuses the agency's stress by lowering the efforts required to manage a pool of contractors, their verified credentials and their data privacy hygiene. With Consento, your reputation is safe.

User-centric + co-responsibility + access control in your confidential files.#

Out of the box certified#

Consento will enable you to easily comply with GDPR regulation. Regulations change over years, and it may cost you efforts to keep an eye on regulatory changes. Relax, Consento will notify you of any relevant changes.

You are a crypto-millionaire! If only you hadn't lost your crypto wallet key...#

Have you heard how many bitcoin users would have become millionaires, only if they hadn't lost theit password? Bitcoins and distributed ledgers technologies opened amazing opportunities to secure transactions online. Although their technicality makes most end-users a bit chill. Moreover, they transform the end-user into the "single point of failure".

Password managers are presented as the solution. But they just postpone the problem... Password manager services seem to solve the everyday authentication issue. But actually, they just postpone the problem; either end-users forget about their master password; either their precious vault with all their precious passwords becomes a centralised vault worth hacking!

With Consento, secure your wallet credentials for years, without putting all your eggs in the same basket.#

With Consento, split your access key in parts and keep them safely stored on the devices you chose, yours and those of your trusted ones. To authenticate, Consento gathers the pieces on your request. No need to remember your password.

To keep your access under control, Consento makes sure the partial keys are taken care of and notifies you if any action is required from you to ensure your data security.

Long-lasting + sovereign + hight-level security for your digital keys.#

Out of the box certified#

Consento will work with your prefered Crypto Wallets.#

Consento will compete at the SxSW 2021 Startup Contest. Let's meet there!

The technology behind Consento has a bit of a magic. So we made a video to share that.

Thank you for watching.

About the thinking behind Consento and how it is supporting the plan to stay in control of data we need to stay in control.

Giving up responsibility is comfortable. We know this because giving up the responsibility of making good backups, structuring our data and publishing articles responsibly is something we gladly hand off to online platforms.

There are many common "best practices" how to minimize the exploitation of your data by big companies: Have multiple e-Mail addresses, use a password manager, don't share too much on social media etc. But this feels like a drop in the ocean. You still need to accept the rules of the system and hope not to get caught.

But how could a better system look like? How comfortable and powerful does a system need to be for us to maintain autonomy? We have been asking thinking and tinkering around these questions for more than a year and have received support from the NGI Ledger program a half a year ahead of our current, global challenges.

Here is the set of important requirements we identified:

Under the name of Consento, we started with a mobile application that exchanges consent requests through a completely private network with anonymized identities. You can take it for a test-ride by downloading our latest release.

As a team, we started to work on this issue with Georepublic being the primary entity. We hope that now, as we are getting to something more concrete, others will join our effort and help us make it a reality. → https://github.com/consento-org

As a society, we are not at a place where we as individuals can take on our "data-responsibility" yet. That's why we aim to raise awareness for this topic and also reach out to non-tech-savvy people, because the issues we want to solve concern everyone!

While the topics of the NGI Leder program are broadly spread, many of our sibling projects work on complementary goals: Cobox has been building the software infrastructure that allows us to exchange content. Iuvia has been working on a hardware one-fits-all solution that can be used as a server in house, building with similar building blocks, both necessary to take control over data storage sovereignty (read more in Jaya's post). oneHealth works on a responsible collection of medical data (think Fitbit; but also doctors offices) and Worldbrain's Memex is moving browsing information to a decentralized place.

If you can take this as an opportunity to support all of us by sharing our work, asking us questions or contributing to our efforts, that would make our day.

Thank you for reading.

The concept behind Consento - Human-Factor Authentication - requires trust. Consento aims at delivering a novel way to securely store confidential data encrypted without central cloud solution, and access them without depending on complex passwords. Instead, with Consento users can request the consents of peers they have decided to rely on. Such a new way to secure confidential data requires appropriate UX (user experience) & UI (user interface) to guide users in handling data privacy. But before discussing about the right UX/UI, we need to discuss a bit about a fundamental object: trust.

Indeed, before it comes to build trust in the UI, we need to build trust in the system. And before the system, there is the belief in the system. Consento story requires quite some thoughts about various forms of trust: trust in the system build by the web of devices, and in the other peers who act as trustees, if not also trust in the Consento business and team itself. So, to start with, what do we speak about when we speak about trust?

Trust#

We like the definition of trust as "a psychological state comprising the intention to accept vulnerability based on positive expectations of the intentions or behaviour of another"(Rousseau et al., 1998). Trust depends both on the individual abilities to trust and on the trustworthiness another is able to display.

Said otherwise, trust is neither a cognitive process nor an innate human feature, it is both (Mújdricza, 2019). Studies have shown that trust is an a priori given human faculty, and therefore the possibility of trust is always present. But visual cues, human contexts and past experiences affect positively or negatively the level of trust. Trust happens to be 'learned' more than 'earned', and it requires a certain affective warmth for a start.

Contemporary online experiences of trust#

Internet users experience online services as a fast pace changing context. They regularly confront with new offerings, new companies, new standards, etc. In such an uncertain context, the aspect of trustworthiness can be built on social constructs like reliability and on individual constructs like integrity (Rousseau et al., 1998).

Among the services internet users experience online (van der Werff et al., 2019), display of trustworthiness emerge on levels such as reputation systems, third party endorsement, transparency mechanisms, etc. And novel ones keep on emerging.

• The reputation systems provide a hint about trustworthiness based on other peers' previous experiences, as well as an incentive to behave trustworthy. Think for instance about peer-to-peer platforms tw-ways rating systems.

In the case of a decentralised architecture like Consento, with no central platform enforcing the rules, that system in itself might be less effective than the reputation in real life of these peers. Research (Nielsen, 2012) have demonstrated also that despite a tendency to trust more people who are similar to us, high reputation of peers (and stakeholders) eventually beats strong similarity among peers.

• The endorsement by third parties such as insurance companies, governmental institutions or civil origins is never a discrediting thing to get. Commercial companies also rely on customers' endorsements. However, studies report that online consumers pay little attention to endorsement itself. Third party endorsements bring on credibility more than trust.

• The transparency mechanisms rely on disclosing the code, the information about the company activity or the team members' affiliations. Fairphone for instance, discloses its full supply chain as a token for its commitment to transparency. On this aspect, Consento intends to embed transparency at its core, even though transparency _might be a concept antinomic with keeping data confidentially _hidden (this will be the topic of the next article eventually).

• Third party endorsement and transparency can be complemented by public self-assessments of governance.

Digital and in-real-life consents#

As for one's ability to trust, it is constantly reassessed depending on the lived experiences, online and offline. A personal dramatic event, or a worldwide pandemic for instance, do impact people's ability to trust each other or their institutions. Even if Consento is first a digital tool, we remain aware that the evolution of people's trust capacities happens mainly off-line.

The 'nudge' approach represent an interesting look into that matter. Humans are inherently biased cognitively. For instance, we would rather avoid loosing than risking to win, we weight the same information differently depending on the credits we give to the speaker, we assess value differently depending on the initial frame given to us to look at the matter, etc.

We have to remember that Cass Sustein and Richard Thaller approach spurred discussion on how much governments or corporations should be allowed to 'nudge' us to do what they want us to do. But when we speak about trust, we should not dismiss our cognitive biases, because before being rational, we are first human.

Roadmap#

So here are the track on which we'll work and test our assumptions : build on peer's IRL reputation, third party endorsement and transparency mechanisms. On these aspects, if you have any comments or recommendations of relevant actions for Consento team to take on, we are open to suggestions.

Else, what do you think? Is there any other ways of trust building we should keep in mind while developing Consento?