I’m a big space fan, and in my era man went to the moon on Apollo – but as the film Apollo 13 reveals, only one moon-shot after Buzz and Neil kicked the dirt around 247,000 miles from home Americans were already bored of the coverage.
Maybe this is a straw in the wind for the way that important events or information is played to the masses regarding security of the internet. A BBC news article this week which coincided with the chancellor Philip Hammond’s speech on cyber security at the Microsoft decoded event in London, highlighted that relentless cybersecurity warnings have given people "security fatigue" and this is leading to people becoming even more complacent than before about their role in keeping their own or their company’s information safe.
The report cites a US National Institute of Standards and Technology (NIST) survey that suggests many respondents from a wide range of social and economic backgrounds and ages ignored warnings they received and were “worn out” by software updates and by the number of passwords they had to remember.
However, users frustrated by the extra security steps they had to go through to get at "their stuff" in online bank accounts or on other websites, should note that fraudulent use of accounts and fraud is increasing as we expand how we access this data. Switching off from the warnings is just not an option.
Barclaycard in the UK have just started a different tack, reporting on a user’s monthly statement that it has applied fraud checking against the users account and provides a thumbs up that things are looking ok. I think this is a great idea as it is focusing the attention to cybercrime at the point where we are focused on a specific element of our personal data -the credit card statement in this case, which in turn encourages us to stop and check we believe everything is oK too.
The challenge has to be to ensure people don’t “tune out” from security due to the barriers security measures put up when we are simply trying to access information. This is highlighted by statistics that show how ingrained both the problem and the solution is in today’s cyber landscape:
The average Briton has over 20 separate passwords and typically access at least four separate websites with the same credentials (Source: NCSC).
One million new malware variants are being created each day. One in 113 emails contains malware (Source: Symantec Security Insights report).
So Philip Hammond’s recent pledge to spend £1.9bn on cyber security is a good thing, the trick is understanding where he is going to spend it.
Certainly, a proportion of it is going to be spent on “awareness” campaigns – but will these be just like the ones in the US that have now built up the complacency that is as dangerous as ignorance?
He will also have to address the need for the SME sector to invest more in Cyber security as today there still is an incredible reluctance at CxO level to spend anything like the right amounts of money to set an organisation on a path that will deliver the highest levels of protection available.
Many still don’t get that it is a layered approach that bears the best results, where process, control, monitoring, software and the right oversite are mixed with technical capabilities to defeat the widening threat surfaces that are presented to an organisation.
The internet has become the petri dish for cyber-crime and even the inventor of the web, Tim Berners-Lee, warns that people need to be aware that although instant and powerful, this power is being turned against the establishment and individuals to break into public and private data on an unprecedented scale. Berners-Lee goes on to say the “warfare on data” at the user level is being waged on us with our own devices such as those that control our heating, the fridge, security cams and that securing these is a top priority.
He urges people not to just take the webcams out of their boxes and start using them, but to change the password as soon as possible before they are hacked by an automated bot and the power and connectivity of the device assembled is part of a botnet attack capable of bringing down some of the most high profile internet facing companies. All of which is oblivious to the owner unless they check.
Many of the disbelievers of the need for strong cyber security suggest they can’t possibly be expected to protect themselves or their companies when big organisations are hacked on a regular basis. The truth is many of these organisations are spending money but are complacent too and leave enough chinks in the armour to allow an attack to be mounted. Just appointing someone to be CISO (Chief Information Security Officer) doesn’t fix the problems which are sometimes deep rooted and is akin to someone being appointed to be the office first aider which has had no medical training.
Mr Hammond may well be organising our cyber-crime stance with the National Crime Agency and GCHQ at the forefront of this battle and with the means to strike back at the attackers, which will in the minister words “make Briton a safer place to do business in” but it won’t complicate companies in the UK who think that Mr Hammond and his forces will solve the problem at their level.
Planning, vigilance and careful monitoring of the equipment that generates, processes and stores data is an ongoing task which needs to have an evolving plan that mirrors an organisations evolving use of data. Individuals can protect themselves more by doing the same thing companies need to do by assessing how they access their data and looking at if that access is being done differently from the last time you thought about security.
So when was the last time you checked the logs on your Dog or granny cam? And are you sure you and your devices are not inadvertently part of a cyber criminals botnet estate?