Cyber security, a people issue

7 July 2015

Computers do not commit crimes, nor do they make mistakes. At the end of every information security breach is a person. Cyber security, in other words, is a people issue. Organisations must therefore acknowledge cyberthreats as a mainstream business risk to be dealt with at the board level but engaging all levels and departments of the organisation.

Cybercrime is not new crime. The objective is unchanged, though the methods are digitised. Similarly, the principle of protection against crime is unchanged, though we may need to update our methods. We protect against physical theft of our valuables with lock and key, so we must with our valuable data.

Crime opportunity theory holds that reducing opportunities for crime leads to a decline in crime incidence. Indeed, as developers become better at reducing and patching vulnerabilities in software, cybercriminals increasingly turn to social engineering to remain in the game. Newer attempts at cybercrime tend to exploit people’s trust, seeking to solicit unsecure behaviour. ‘Macro virus‘ also known as ‘macro targeted malware’ is one example of this. Cybercriminals send out seemingly innocuous attachments, which when opened run macros that infect a computer.

Consequently, a key cybercrime opportunity for a business to counter is the vulnerability of inadvertently non-secure staff behaviour. This requires engagement with staff on an ongoing basis, and in a language and manner that make the risks relevant and real to the employees, for instance through simulations and gamification techniques. Explaining good standards for secure behaviour and the benefits they entail may be more effective than issuing proscriptions of “don’t do” this or that.

Good practice may run counter to received wisdom. For instance, creating a lengthy password phrase, over 14 characters long, picking out a line from a song lyric, may be more effective than the oft-spouted restriction of 6-8 character length, including a mix of capital, non-capital letters, numbers and symbols. This can be easier to remember, and thereby reduce the risk of employees engaging in non-secure behaviour like noting down passwords or re-using the same password across multiple sites. Moreover, it is the length of a password that determines its complexity and, thus, difficulty of hacking it. Therefore, demanding longer passwords of employees, allows longer periods between changing of passcodes, further reducing the complexity for employees.

While the awareness of cyber risks may be deficient in both the private and the public sectors, it is critical for public bodies to take this seriously. A recent study suggests that 40 per cent of malware attacks in the UK in 2014 were targeted at the public sector, which is a ripe victim given the valuable data it holds and the inadequate protection often applied, particularly by local councils.

On 16 July Reform’s conference “Cyber security: assurance, resilience, response” puts the spotlight on the issue. Please register your interest at



Michael Cawley

14 February, 2018

Being left behind? Lastly, there is a whole additional level of cost when individuals cannot even access the opportunities of technology. As the digital divide expands, there is a concern that catching up may become harder rather than easier as the supporting environment for successful technology adoption become more demanding. Internet access is varied across countries. McKinsey & Company estimates that “between individuals cannot get online via the mobile network because they do not live within sufficient mobile network coverage.”26 Moreover, they estimate that there are about 4.4 billion people not on the Internet worldwide, of which about 75 percent are in twenty countries (see Figure 5). There are similar differences within countries. In many G20 member countries, for example, major cities and towns are very well penetrated by Internet and even high-speed broadband services. But with few exceptions, a significant share of rural or remote communities and in some cases, smaller towns are poorly connected to even basic Internet services. Divisions also appear within communities across different demographic groups. For example, women, older people, and the poor are less likely to be online, and people with disabilities also face various barriers. These are also the groups that would likely benefit the most from being able to access these tools.