With cybersecurity finally at the top of the consumer’s mind, the time is ripe for the industry to have a makeunder.
The business of protecting virtual information and territories is in dire need of a re-jig. Not just within the industry, but also in how it communicates with the outside world.
Major hacks have until now passed below the social radar- data breaches at Yahoo, TalkTalk and LinkedIn didn’t raise heckles as much as the NHS ransomware attack earlier this year did. The 9pm news bulletin on BBC led with the WannaCry story and it only hit most consumers hard when critical medical procedures and appointments were postponed. Consumers finally realised that cyber attacks, ransomware and social engineering didn't just happen to businesses but also touched their lives.
The reality is that, until something of such magnitude happened, there was hardly any understanding of how cybersecurity works and that it needs action from the collective whole to make any lasting difference.
The word ‘hacker’ conjures up frightening images of Russian spies and the darknet- where child pornography and leaked episodes of Game of Thrones abound. It does not help that these purported hackers talk in seeming riddles involving such arcane terms and codes that you cannot feel part of the conversation if you don't work in the industry. The fact that every image accompanying a story about cybersecurity is accompanied by a ‘man-in-a-hoodie’ image. Anyone who has spent 5-minutes within the industry knows that hackers are intelligent individuals with real jobs they (usually) love and earn a LOT of money for.
Although critically under-populated, hackers are easily outnumbered by vendors and analysts but the question remains why there is still so little understanding about cyber security amongst non-techies.
According to Bharat Mistry, principal security strategist at Trend Micro, “The more cyberattacks that hit the national headlines, the more that consumers should be thinking about the way that they protect their data and behave online. But in reality, the reverse is true. We’re becoming desensitised to attacks of this nature, safe in the knowledge that if our bank details, passwords or home address are breached, the company, and not the consumer, is at fault.
“Recent research from our threat labs revealed that 1.8 million hacks occurred on smart homes for the first half of 2017 alone. Hackers were able to remotely access smart devices – from TVs, to routers, to game consoles – through vulnerabilities that can easily be prevented. Something as simple as changing a default password, or downloading the latest software update, can ensure that the hackers can’t get in. It’s up to the consumer to take security into their own hands, but it’s up to the industry to educate them on how to do so, and why it’s so important.”
While it is easy to blame each other for how invisible the cybersecurity industry has been to the public, the fact remains that the education will have to start at home. According to a recent government survey, of 105 businesses in the FTSE 350 questioned, 68% of the company boards had no specific training to deal with a hacking incident. Laurance Dine, managing principal, investigative response, Verizon said: “Ultimately, we’ll continue to experience the same old problems until organisations start to take cybersecurity more seriously; treating it as a business-level concern, rather than an IT problem. The fact that less than a third of boards receive comprehensive cyber risk information clearly shows that this just isn’t the case today.”
Earlier this year, Raef Meeuwisse, cybersecurity expert and author told me: “We call it ‘The Medusa Effect’- If you take an overwhelming body of information and fact and bring it to the front of an executive body, it is like you have brought Medusa into the room. They [the Board] will look everywhere but at the problem and look for the earliest opportunity to either exit the room or marginalise the problem and pretend it never happened.
“If you want to affect a change then you have to present cyber security as a business problem. Present it in business language.”
But what of consumers? There has been a lot of head-scratching over how the language needs to be rid of jargon and cybersecurity education needs to start in schools so children and their parents are as aware of their virtual security as physical.
Ultimately, it needs relatable figures. Like Marcus Hutchins, the accidental ‘hero’ white-hat hacker who brought the WannaCry juggernaut to a halt. However, what the industry didn’t need is for the ‘hero’ to then be indicted by the FBI for his alleged creation and distribution of the Kronos malware.
Alex Stamos, Head of Security at Facebook recently told a conference in Los Angeles that white hats weren’t helping their own cause either by talking about niche viruses and cyber attacks and not simpler but more important problems like reusing passwords across different websites.
While it has been known that the word ‘hacker’ was not allowed to be used during a cyber security presentation by the UN, I also think it could also be because the industry is the purveyor of only bad news. Hacks, attacks, breaches coupled with doom & gloom does not lend itself to the warm fuzzy feeling other branches of tech evokes.
Take the mobile phone industry for instance, every phone launch is feted and celebrated endlessly and even when it is bad news, like in the case of the Samsung Note 7 bursting into flames, the bad news machine was kept it contained to the topic. And now think of the cybersecurity industry, even when keys and workarounds to virulent strains of ransomware are found or discovered, they aren’t talked about as much as the damage they caused. It seems almost like consumer malaise that they have heard us cry wolf for so long that they block it out when they need to pay attention the most.
Unfortunately hacker tends to only be used in a negative context. Which needs to change. like Risk 15 yrs ago, it needs a positive focus!
— Simon O'Gorman (@slogorman) August 21, 2017
Internal problems within the industry not just includes crippling skills gap, but also the lack of diversity within the workforce. Acceptance of a problem is halfway to a solution, usually. Let’s hope it holds true for cybersecurity too.