Cybercrime and cybercrime success are both on the up. To stand any chance of meaningfully reducing cybercrime, we need to call on an underused resource
Today’s cyber criminals have it easy
At least, that’s what newspaper headlines seem to suggest.
“Companies struggle to recover after Petya cyber attack” cries one such headline. “UK electricity grid cyber attack risk is ‘off the scale’ ” screams another. “Parliament hit by cyber attack” reports another still – and adding more to the list isn’t a difficult task.
These are the news headlines from just the last 7 days.
We’re not sure the media can be accused of fake news here, either. According to the market research firm Juniper, the costs of cybercrime are expected to hit $2.1 trillion by 2019 – up fourfold from 2015.
Despite our best efforts, cybercrime and cybercrime success are both on the up.
Few people truly know how to protect themselves online
Aside from increased digitisation, one of the main drivers of increased cybercrime is how easy it has become to steal a great deal of money with little more than a laptop. Simply because businesses, those that work within them and members of the general public often don’t know how to properly protect themselves online.
According to a recent Mozilla survey, 91% of people still “don’t know much about protecting themselves online.” The same survey found 11.5% of people “knew nothing” and, rather worryingly, “pleaded for help.”
The findings might seem odd given the dramatic news headlines and attention afforded to the issue. But look closely and you’ll note that all the newspapers report is news of cybercrime.
Such articles at best imply cyber security is important. But even the most engaged reader – say, a personal victim of a recent attack – could end such articles no more aware of how to be secure online than when they started. So where might readers – clearly interested in the topic – look to gain such an understanding?
Businesses plagued by a lack of awareness
Depressingly, their employers are unlikely to be of much help.
A recent report by the cyber research group CyberEdge looked at why ransomware attacks amongst businesses had hit an all time high. Given the costs to businesses, surely employees were being trained to spot and act on threats before they became a real problem?
Not quite. When surveyed, employees were apparently so ill-informed on the subject of cyber security that they openly admitted they weren’t doing all they could to secure their employers’ networks. In fact, survey participants quite literally cited “low security awareness” as their primary barrier to proper protection.
The report was published in 2017 – suggesting its findings were gathered amongst the current backdrop of increasingly dramatic news headlines, increasingly commendable government strategy and increasingly stringent business regulation.
All in all, it’s a backdrop that confirms what we all already know about the business world:
Despite employer efforts, employees do not know enough about cyber security. And that’s because raising awareness amongst employees is a seriously difficult task requiring more thought than is currently being applied – awareness means more than most give it credit for.
Employees are people. And people are complex
You might wonder why raising cyber security awareness amongst employees, for example, is such a tough ask. To answer that, we’re going to need to drop the word “employees” at this stage of the discussion.
“Employees” suggests a uniformed army of mindless business operatives whose only function in life is to increase their employers’ bottom lines.
Ultimately, though, these “employees” are people. And, as the relatively young field of psychology constantly reminds us, people are – both thankfully and frustratingly – incredibly complex.
Why cyber security awareness remains so low
It seems every day new psychological understandings are born, often simultaneously shattering what we previously thought we knew. As an example, for almost as long as the field of economics has existed people were assumed to be entirely rational. Entire government policies were based on the assumption of rationality.
In the last few years, though, the likes of Daniel Kahneman, Amos Tversky and the growing field of behavioral economics have repeatedly demonstrated that absolute rationality is simply not the case.
The overwhelming majority of decisions humans make – including those of great importance – are made without any conscious thought whatsoever. Rationality is often the exception as opposed to the rule, and such learnings must be taken into account when considering how we might change human behaviour.
Innumerable hurdles to overcome
As if the sometimes rational, (sometimes irrational) nature of simply being human doesn’t hamper our cause enough, we have the determination of the cyber adversary to account for. We also have the day-to-day realities of the cyber “self-harmers” and the “un-witting many” to overcome, with their suboptimal cyber security practices both inside and outside the workplace.
All of this adds up to something of a challenging landscape – and one that fuels dramatic and ultimately depressing news developments such as:
But, of course, all is not lost.
Calling in the cavalry
By accounting for psychology and the ‘human factor’, we can take a fundamental leap towards increasing people’s awareness of pretty much anything – cyber security included.
And by folding increased awareness into a holistic cyber security strategy, normal people can become our ultimate defence.
When you consider as many as three quarters of all cyber attacks involve a human, accounting for psychology and taking a holistic approach could be key to reducing the threats cyber criminals currently pose.
Accounting for psychology and taking a holistic approach will therefore be the focus of our next blog post.