BeCyberSafe: Like Charity, Cyber-Security Begins at Home
22301:2019 accountability article 25 article 28 article 35 awareness bcms breach ciso contracts controller cybersecurity data breach data privacy Data Protection data protection officer data protection service Data Subject Access Request DPIA DPO DSAR encryption GDPR incident management information security leadership management Pentest Privacy processor resilience risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools transparency vciso virtual ciso
Should organisations do more to help their users protect themselves against cybercrime at home? Should an internal awareness programme include some key things users could do at home which would reduce the chances of their employees succumbing to a fraudster? Do awareness programmes raise awareness of the cybercrime problem but ultimately neglect to educate users on how to actually prevent a cybercrime incident from occurring in the first place? The answer to all these questions is quite probably yes. By helping change employee behaviour at home, organisations are more likely to embed that home behaviour in the workplace. Promoting initiatives such as BeCyberSafe and the Safe and Secure Onlineprogramme could be a cost-effective way of reducing overall cybercrime both at home and in the workplace.
BeCyberSafe: Are we more aware of cyber-crime?
Many good cyber-security practitioners know humans are often the weak (or weakest) link in their cybersecurity programme. Users emailing personal data and intellectual property to their personal emails or clicking on links in emails, installing malware onto the corporate network. Procurers of IT systems failing to do their due-diligence of vendor security leading to gaping holes in security. Senior Management requesting their systems are less locked down so they can access their favourite websites, exposing the wider organisation to unnecessary risk.
Over recent years though, Boards are now asking probing questions relating to cyber risk; users [grudgingly] complete their annual awareness training; and GDPR / DPA 2018requires organisations contractually lock in security with third-party vendors processing personal data (although so did the original DPA 1998, just with lower fines). The above would all suggest, anecdotally at least, that we are all more aware of cybersecurity issues. The question is, does awareness of the problem translate into an actual reduction in cyber-crime?
BeCyberSafe: Lies, Damn Lies, and Statistics!
Hurrah – we’ve solved it!!! Backed up by the figures too!!!! There has been an estimated 28% decrease in computer misuse between Jan 2018 and Dec 2019 and this is not an isolated year. This figure is according to the latest release of the UK Office for National Statistics (ONS) Crime in England and Wales Survey, year Ending 2018 (released on 25 April 2019). As it’s the ONS, I’m inclined to give it some reasonable credence.
Unfortunately, this compound statistic – like a lot of statistics – doesn’t really show the whole picture. In fact, unless you read further on in the report, it largely obfuscates another issue. Whilst there is a 44% decrease in virus-related incidents, unauthorised access to personal information (things such as your credit card details or personal files being compromised) remains pretty much unchanged at 506,000 incidents (compared with 508,000 the year below). This would suggest people are aware of the need to report the misuse, but not aware of how to prevent the incidents occurring in the first place. The evidence suggests people (in the UK at least) are still not taking proactive steps to protect themselves from cybercrime.
BeCyberSafe: Why the decrease in virus incidents?
If I were being a little cynical, I would suggest the decrease in virus incidents is largely nothing to do with a change in user behaviour but other forces working in the background. Over the last few years, the Microsoft Operating System, Windows (since Windows 8), has included Windows Defender Antivirus. This tool automatically updates without intervention from the end user too. This means that as more and more people purchase newer devices with Windows 8 or above installed, they no longer need to think about installing anti-virus. More importantly, viruses take advantage of a weakness in the Operating System – unpatched security vulnerabilities. Windows 10 took control of patching out of the users’ hands in this regard by making the update (patching) process automatic by default. One could, therefore, hypothesise that the anti-virus issue is being engineered out without the need for user intervention, and it is this reason there has been an ongoing downward trend in the amount of virus-related incidents.
Now, as someone who advocates positive use of data to support evidence-based decision making, it would be wholly wrong of me to not caveat my hypothesis here. I have no basis in data to support this claim, it could be a great research proposal for someone thinking of doing their MSc in Information Security – and I would love to see the results.
BeCyberSafe: Preventing unauthorised access to personal information
If the stats show unauthorised access to personal information is still an issue that requires solving, surely this is where we as evidence-based practitioners need to focus our attention. If the general population are reporting so many incidents (remember that figure was 506,000 incidents in a population of 60million in one year) then in the corporate world, it is reasonable to adduce the following (again untested) hypotheses:
- There are fewer incidents because corporate devices are a lot more locked down than personal devices.
- Incidents in the corporate environment will proportionally mirror personal incidents, suggesting a significant amount of unauthorised access is taking place in the corporate world which is largely unreported.
- Incidents in the corporate environment are more (or less) likely to be reported dependent on corporate culture.
Again to caveat, these are untested hypotheses, but if true are very concerning. The basic premise behind these hypotheses is simple: the workforce is generally made up of a cross-section of the wider population, if these employees are compromised by their behaviours at home, it is highly likely they will adopt those same behaviours in the workplace and compromise their organisations. If these incidents aren’t being reported, there are likely cultural reasons underpinning the lack of reporting.
It’s worth noting that the behaviour of both children and those who are older may account for a higher proportion of incidents of computer misuse than the working age population (for a variety of reasons we won’t discuss here). This again would need to be looked at but ultimately, if organisations don’t consider the impact of the behaviours their employees bring in from their home use of technology, they risk exposing their organisations to the effects of that behaviour.
Solving the problem at home
The concept of solving the problem at the source [i.e. at home] is not a new one. Online Banking platforms regularly offer their retail customers free anti-virus software as part of the banking offering. More and more online services are offering (or defaulting) multi-factor authentication to prevent unauthorised access. EU regulations on online payments (PSD) have been strengthened too to reduce the success rate of online fraud. It seems clear the data shows consumers are still in need of further protection. Could organisations fill this void?
By organisations effectively targeting some of their training and awareness resources to securing their employees against the personal threat of cybercrime, organisations are likely to see a benefit too. The change in their employees’ personal behaviour is likely to translate into a change in the way they use corporate IT. Organisations who demonstrate they care about their employees above and beyond their value to the company should also see an increased sense of belonging, increased morale, and increased loyalty towards the company.
Couple that with lower cybercrime across society – That can only be win-win!
About the Author:
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy. Stephen has worked in the information security risk, business continuity and data protection world for nearly 20 years. Stephen has delivered complex security programmes across defence, real estate and financial services. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both paperback and Kindle eBook.