Cyber security, a people issue

7 July 2015

Computers do not commit crimes, nor do they make mistakes. At the end of every information security breach is a person. Cyber security, in other words, is a people issue. Organisations must therefore acknowledge cyberthreats as a mainstream business risk to be dealt with at the board level but engaging all levels and departments of the organisation.

Cybercrime is not new crime. The objective is unchanged, though the methods are digitised. Similarly, the principle of protection against crime is unchanged, though we may need to update our methods. We protect against physical theft of our valuables with lock and key, so we must with our valuable data.

Crime opportunity theory holds that reducing opportunities for crime leads to a decline in crime incidence. Indeed, as developers become better at reducing and patching vulnerabilities in software, cybercriminals increasingly turn to social engineering to remain in the game. Newer attempts at cybercrime tend to exploit people’s trust, seeking to solicit unsecure behaviour. ‘Macro virus‘ also known as ‘macro targeted malware’ is one example of this. Cybercriminals send out seemingly innocuous attachments, which when opened run macros that infect a computer.

Consequently, a key cybercrime opportunity for a business to counter is the vulnerability of inadvertently non-secure staff behaviour. This requires engagement with staff on an ongoing basis, and in a language and manner that make the risks relevant and real to the employees, for instance through simulations and gamification techniques. Explaining good standards for secure behaviour and the benefits they entail may be more effective than issuing proscriptions of “don’t do” this or that.

Good practice may run counter to received wisdom. For instance, creating a lengthy password phrase, over 14 characters long, picking out a line from a song lyric, may be more effective than the oft-spouted restriction of 6-8 character length, including a mix of capital, non-capital letters, numbers and symbols. This can be easier to remember, and thereby reduce the risk of employees engaging in non-secure behaviour like noting down passwords or re-using the same password across multiple sites. Moreover, it is the length of a password that determines its complexity and, thus, difficulty of hacking it. Therefore, demanding longer passwords of employees, allows longer periods between changing of passcodes, further reducing the complexity for employees.

While the awareness of cyber risks may be deficient in both the private and the public sectors, it is critical for public bodies to take this seriously. A recent study suggests that 40 per cent of malware attacks in the UK in 2014 were targeted at the public sector, which is a ripe victim given the valuable data it holds and the inadequate protection often applied, particularly by local councils.

On 16 July Reform’s conference “Cyber security: assurance, resilience, response” puts the spotlight on the issue. Please register your interest at events@reform.uk.

Comments

Comments

No comments yet.