Why cyber security only works when people play along
Can you define the terms ‘Acceptable Interruption Window’, ‘Accounting Legend Code’, and ‘Secure Sockets Layer’? The chances are that you can’t, and you are certainly not alone. The overwhelming majority of IT users have little or no knowledge of the technology that drives and secures their devices. All they want is an experience that is fast and convenient at a reasonable cost. They certainly do not want to be bothered with a lot of fussy rules. In the following article, Richard Knowlton, Director of Security Studies at the Oxford Cyber Academy, explains what happens when ‘fast and convenient’ comes up against the need to fight off hackers. It turns out to be a very human problem.
We are all busy and all multi-tasking, and the digital technology that supports our business and personal lives has developed to cater for that fact. Modern systems and devices work intuitively and seamlessly to save us time and stress. They have been so successful that they have become absolutely central to our daily lives. Meanwhile, most of us have little or no idea of the technical details of how these systems and devices actually work.
Unfortunately, there is another side to the coin. There are a lot of malicious people out there - criminals or hostile nation states - who know exactly how to exploit digital technology to steal, to extort money and even to cause physical damage and death. And that raises an important question: how can we balance our reliance on the speed and convenience of smart technology against the serious cyber-security risks that it can expose us to? You might think that the obvious answer lies with the technical experts. They need to keep ahead in this ‘cyber arms race’ by building ever-smarter defences to keep the bad guys out.
It is not so simple. Of course, technical experts have a major role to play in keeping us all safe from hackers and they do a great job. But often they are as susceptible to commercial pressures as any other part of their business. Manufacturers may try to avoid the delays, extra costs and complications which can come from a focus on security.
Meanwhile, it is actually human beings who are a root cause of well over half of major cyber incidents. There is no ‘human patch’ to defend against the fact that people are often ignorant, careless, stupid or occasionally just malicious.
Hackers know this very well. They have developed a whole range of tactics to use humans to trick their way past our technical defences. We have seen an explosion in the use of these tactics during the Covid-19 crisis, when so many people have been working from home and outside their normal office environment.
This has led many executives to worry about the ‘human factor’ in cyber security; they may even speak about their staff as “the weakest link” in their company’s cyber defences. That is profoundly wrong in my view. Properly informed and prepared, our people are actually the “strongest asset” in protecting their organisation.
So, what’s the problem? We manage other issues in our organisation through communication, education and training; surely, we just need to handle security in the same way? Teach people the basics of cyber security and what to look out for (like phishing emails), and we solve the issue, right?
Well, no, actually – for at least two reasons.
The first is that we all know from experience that knowledge and awareness of a risk are far from guaranteeing that people will avoid it. Think of smoking, excessive use of alcohol, safe sex, seatbelts – the list is endless. Humans are not entirely rational beings.
The second is that security managers tend to think in terms of absolutes: the need for security is “obvious”. Meanwhile, they very often have little or no expertise in communication, so their solution to awareness training is just to use simple online courses to teach staff the basic ‘dos and don’ts’ of cyber-security. The results are predictable. Staff see these courses as marginal to their daily work; they are a chore that has to be done to get a ‘tick’ in the relevant box on their HR record. Obviously, that attitude does nothing to increase real awareness.
The real solution is to see security as a fundamental aspect of a company’s culture. This requires everybody – starting from the very top of the company – to regard security as essential to their success. Unless that culture is right and permeates everything the company does, then basic security hygiene rules will be forgotten – or not even taught in the first place. The best organisations know this. Their security culture is central to who they are and what they represent.
If you want to learn more about the topic of cyber security and cybercrime, please click here.