Terminology and your role
For simplification, the term âpractitionersâ is used throughout the book to group everyone this book is aimed at: coaches, therapists, psychologists, counsellors, researchers and other professionals handling confidential client data. This choice was made purely to have one term to cover all the readers. The term âclientâ is similarly used to group anyone practitioners work with.
Definitions of the term âcybersecurityâ can vary, and often include references to protecting networks and devices. Overall, for the reader of this book, cybersecurity includes being able to detect, mitigate and stop vulnerabilities, risks or attacks on your devices, networks and data. It also covers knowing how to respond in the event of an attack occurring.
It is important to point out that, in todayâs world, it is unlikely that any practitioner has zero touch points to the cyberspace and works without any form of connected electronic device (computer, tablet, phone or other). This would require that you correspond with clients only through face-to-face communication, never on a phone or other electronic device, never over email and never over any communications software/apps. It would also mean you never store session notes, calendar entries or static data related to your clients on a computer, tablet, smartphone or other electronic device. Also, to be clear, data written offline on a device disconnected from a network does not make it âsafeâ from cybercriminals; it can still be taken if the device is stolen or when the device goes online again. As soon as you touch the cyberspace, you are open to the risks this book will lay out. The book further funnels all of this down, chapter-by-chapter, to the focus points relevant to the reader.
Other useful terminology to understand at this point is that cybercrime is often delineated into cyber enabled and cyber dependent. Cyber-dependent crimes are those that rely on electronic devices (both on the criminal and the victim side) and a network connection to execute the crime â at least initially (Europol, 2017). Ransomware (which will be covered later) is an example of a cyber-dependent crime. Cyber-enabled crimes are crimes executed via the cyberspace, but not fully reliant on it. An easy way to distinguish this is: could the crime be committed in another format offline (The Crown Prosecution Service [CPS], 2019)? For example, you can be scammed for money by someone talking to you face-to-face, or via some form of correspondence over a computer, the cyberspace just enables a new, escalated or alternative form of the scam.
These definitions prompt a very important reminder on cybersecurity for the audience of this book: practitioners have a responsibility to understand their role in reducing the âdependentâ and âenabledâ factors of these crimes through cybersecurity and their own awareness. As will be shown in Chapters 5â7, some cybercrimes rely on weak security, while others rely on a person falling victim to a story.
You are operating in occupations where the term âconfidentialityâ is one of the main foundations of working with a client. Ensuring this and protecting client information starts from the very first contact. Data should be understood as comprising anything related to a client, including all interactions. The bottom line is that the moment you handle, process or store data insecurely, which includes having a conversation insecurely, you leave a door open for a criminal or an opportunist â to obtain the data either through unauthorised access online or by physically stealing it offline.
Most accreditation bodies/associations practitioners are members of now include references to data security in their ethics codes and competency frameworks or other guidelines. However, these are often just references with limited interpretation of what is written. As a practical guide, this book, by applying the cybersecurity lens, gives the reader more insight into why these regulations are there â not only to protect clients but all of us. By incorporating practices to protect data, we also make our entire practice less vulnerable. This is vital because where practitioners work from the foundations of confidentiality and trust, criminals operate from the opposite side of the spectrum. Their strategies are built around finding vulnerabilities that will enable them to exploit victims, and the more sensitive the data, the more valuable it is.
With technology comes responsibility
Before the advent of computers, client data was vulnerable where it was, in the physical space where it was written or lay locked up in fireproof safes or cabinets, which meant that it could only be taken from that one place. Today, however, emails, calendar events and notes connecting a practitioner to a client are typically stored on devices that can be moved around and connected online.
The ease with which we can store data and make it portable, along with the increasing vulnerabilities in the cyberspace, has likely been part of why there has been an increase in privacy and data protection laws over the last decades (Solove, 2007). The challenge is that the cyberspace today enables more entry points for criminals and more extraction points for them to take your data and listen in on your conversations.
An important point to make here is that a breach of privacy or data occurs when any type of record is taken. One online session overheard by a stranger, one exposed chat message thread or the breach of a calendar app and all its records, including the names and contact information of clients, is enough to threaten exposure of your clients and even bluff that more information is held. As will be highlighted through a real-life story coming up in this chapter, the fear of what might have been exposed can be enough to create emotional responses in clients. The breach of trust factor is significant.
All these points said, working online today is not only unavoidable but also enables practitioners to potentially provide more services, more efficiently than before. Storing client information electronically means it is available from anywhere at any time, and engaging in digital communication may improve outcomes dramatically for some clients, who would otherwise struggle to attend onsite (for either practical or health reasons). So, while the realities of cybercrime will be pulled into focus in this chapter, do not let this deter you; rather, the information is being provided to firmly show why cybersecurity is here to stay.
Another important point is that not all cyberthreats will target your clientsâ data. Some will be aimed at extracting money from you, through scams aimed at your business or you as the practitioner. These are also unfolded in this book, along with how to spot and mitigate them. Learning how to mitigate these threats is arguably just as important as protecting your client data, because cybercrime and fraud can cause long-lasting damage either financially or personally â to the extent that it can then have ripple effects on clients, leading to a situation where the practitioner either needs to discontinue or close their practice.
A final note on the important role you play in this journey. When working with clients, human behaviour and cognition may often be important factors in choices and outcomes for them. Although cybersecurity relies on technology and tools, human factors play a crucial role there too, particularly against criminals who continuously will look for a way in, and do not have any boundaries. By understanding the why, what and how and starting to implement some good practices along with reading these chapters, you minimise your own vulnerability as well as the weaknesses in your technology set-up.
In summary, it is through taking an active part in learning about cybercrime, understanding how to spot red flags as well as setting up security tools, that you enable a holistic, more effective cybersecurity approach (Back & LaPrade, 2019). Through changing behaviours and practices you can also build further on what you learn in the future, and much of what you read here can also be adapted into your everyday, personal cybersecurity practices.
Why being fully offline is not actually a safer option
There is no silver-bullet solution to any of the cyberthreats or issues mentioned in this book, unfortunately. The reality is that if one source of income for a cybercriminal is closed off, they will explore a new modus operandi (MO), look for new ways in, find the next security flaw or vulnerable person to exploit. It can be tempting, then, to consider that taking an alternative route to cybersecurity is having a no d...