Nobody will take security seriously until they're hurt 'in new ways,' says investor

Key Points
  • Americans have yet to take personal data security as seriously as they need to, said Greylock Partners' Sara Guo.
  • Once consumers feel threats in a more personal way, their behaviors will change, she said.
Sarah Guo speaking at the 2017 Cyber Summit in Cambridge, Mass., on Oct. 4, 2017.
David A. Grogan | CNBC

For Sarah Guo, an investor at venture capital firm Greylock Partners, some of the future dangers of an ever-more-connected world are already here -- in China.

There, ransomware attacks on individual Android phones are a common problem.

Someone could find their phone suddenly seized, and then a message pops up saying -- "I want 1,000 bucks or you can't have your phone anymore," Guo said, in an interview last week at the Cyber Summit in Boston.

It's a scary prospect, and while Guo believes that sort of criminality will become a problem at some point in the U.S., most consumers still have a passive attitude about keeping their data safe.

Even after a hack the size of Equifax or Yahoo, it's surprising how few people take steps to secure their data, she said.

For example, Equifax CEO Richard Smith said last month that 11.5 million people have taken advantage of the company's offer of free credit monitoring in the wake of the hack.

That's a fraction of the 145 million people likely impacted by the attack, said Guo.

"If it actually hurts [consumers] in new ways, their behavior will change," she said.

Guo said the vast number of online accounts that most people have — sometimes numbering in the hundreds — makes it understandably difficult for the average person to practice good "data hygiene."

"There's no I way understand all of my accounts," Guo said.

Guo's investments at Greylock include data security companies Obsidian Security and Awake Security — the former of which is still in stealth. She said that Awake, while examining the databases of some of its clients, was able to find a shocking amount of bad behavior that the companies were completely unaware of — including corporate espionage and insider threats.

"There wasn't a single [company] where we didn't find bad behavior already," she said.

Correction -- An earlier version of this story misstated the status of Awake.