Almost half of UK businesses (46%) and a quarter of UK charities (26%) reported cyber security breaches or attacks in the last 12 months.
The figures are higher for medium-sized businesses (68%) and large businesses (75%).
Cybercrime is on the rise.
So it’s just as well the UK government is doing something about it.
National Cyber Security Strategy
In 2016, the UK government published a 78-page National Cyber Security Strategy.
The new Strategy was underpinned by £1.9 billion in investment. A five-year plan (2016-2021) was set out to improve cyber secure practices across the nation.
The government pledged to pay due attention to “human and behavioural aspects” of cyber security. It recognised the need to “deliver a step-change in public behaviour” to bolster defences against cyber criminals.
Initiatives to improve public knowledge of cyber security threats were put in place. One of these was the Cyber Aware campaign, which has continued to evolve in response to developing threats. In 2020, the campaign responded to Covid-19, publishing new information on secure home working and safe online shopping.
Clearly, the government recognises people play a part in cyber security. But has it gone far enough to address the human factor?
The costs of human error
In 2019, our research found that 90% of UK data breaches were caused by human error.
For the most part, we’re kind, helpful, curious and obedient. And that can make us vulnerable to cyberattacks.
It’s incredible how deep these human traits run. To hammer the point home, consider Connecticut, 1961.
Understand people are people
In 1961, Professor Stanley Milgram carried out a study on obedience.
Each participant was instructed to send voltages of current through the body of an unseen but audible fellow human being. The voltages wouldn’t actually be administered. But those administering the shocks didn’t know this.
The voltage of each shock increased in increments throughout the experiment. Initial shocks were bearable. But the voltage rose quickly. Eventually, the shocks would be lethal.
Milgram’s fellow researchers predicted less than 3% of participants would administer the final lethal shock.
Incredibly, 65% of participants ended up doing so, despite showing overt signs of distress themselves.
The authority of the ‘scientist’ overseeing the experiment won out over the participants’ own sense of right and wrong.
All because, as humans, we like to trust, and we often do as we’re told.
What we must do when fighting cyber crime
It’s not hard to see how cyber criminals might exploit our tendencies to trust and obey.
Throw helpfulness, hope, laziness, myopia, and a whole host of other human vulnerabilities into the mix. You might wonder why the situation is not much worse than this.
You might also start to see how important changing behaviour is when addressing cyber security. And to be fair, the government’s current strategy indicates awareness of the importance of behavioural change.
But, in reality, how far do existing initiatives go towards impacting and changing poor security behaviours?
Keeping up with the criminals
As the government’s five-year strategy draws to an end, a new strategy will be on the horizon.
If behaviour change can take centre stage moving forwards, we may well finally begin to take the higher ground.
And let’s hope we can – sooner rather than later.
Cybercrime is advancing. We need to keep up.