Who should be responsible for my security?

Absolve end users and hold governments and big tech responsible for protecting us online

– that’s the message today from the head of one of our leading national security agencies.

Making the keynote address at yesterday’s CYBERUK 19 conference, GCHQ director Jeremy Flemyng said the threat posed by cyber-criminals and state-sponsored hackers is too much for individual internet users, who shouldn’t be forced to assume responsibility for staying safe online.

Instead it’s governments, technology companies, and internet service providers who should do the heavy lifting when it comes to cybersecurity.

Flemyng even suggested that a cooperative effort between all three could erect a national cyber shield over the UK, keeping out baddies and making it easier to track threats and vulnerabilities.

It’s a tempting proposition.

With a recent UK survey suggesting fewer than 15 percent of people understand even the basics of personal cybersecurity, and another proving the timeless appeal of ‘123456’ as a password, perhaps it is time to simply “take the burden of cybersecurity away from the individual.”

Just let people get on with their online lives?

There is a lot of wisdom in what Flemyng is suggesting. At some point cyber experts need to stop wagging their fingers at end users and accept that people have lives to live, core job responsibilities to see to, and in the end, may have their own sensible view about the level of threat posed by having their Facebook password stolen.

Security is jargon-heavy and new threats and vulnerabilities are uncovered literally every day – every three seconds actually. Keeping up with all this has spawned a huge industry employing thousands of experts, each with decades of experience. Is it fair to expect the average person to keep up?

Companies need to protect systems and information so of course need to enforce rules around cybersecurity, but the ability of criminals to adapt and innovate almost ensures that, at some point, a member of staff will be tricked into giving away information they shouldn’t, clicking a link they shouldn’t, downloading an attachment they shouldn’t.

Time for a balanced view

Cyber experts often say security is everyone’s responsibility. True as far as it goes, but if something is everyone’s responsibility, it’s no-one’s responsibility. Accountability has to be allocated sensibly based on the size, budget, and capabilities of the parties involved.

There are four main players in cyber, and each has a crucial role to play.

Governments need to hold everyone’s feet to the fire.

Compliance regimes like GDPR can be a costly nuisance to implement, but the evidence is — they work. As for law enforcement and security, director Flemyng’s speech this week shows that a consensus is building around the idea that cyber defence is too big, complex, and risky to be left individuals. Governments need to allocate the resources necessary to make vital infrastructure safer, update laws to reflect the needs of the internet age, catch and prosecute cyber criminals.

Governments also need to ensure that Big Tech companies are taking concrete steps to get their collective house in order.

The privacy protections and transparency of data practices at companies like Facebook and Google are a serious concern. With entire business models built around indiscriminate data hoovering, they will only change their ways if governments compel them.

For individual end users, it’s our view that the time has come to give them a break.

With all the signs of passive resistance to public service cyber warnings, perhaps it’s not surprising if an attitude has seeped in where some security experts want to shift the onus of responsibility downward.

Understandable, but systems that clash with natural human behaviours are doomed to fail.

We aren’t suggesting end users be cut loose entirely from owning home and workplace online safety, but still – we need get past the idea that bad habits and laziness are the root cause of every breach and, instead, start empowering them.

Businesses and public sector organisations can find themselves caught between:

• Remaining compliant to satisfy governments
• Policing employees’ online behaviour while protecting their employer brand by being reasonable about personal use of apps and devices at work
• Investing in the latest cyber defence technology and still falling victim to breach when someone loads a malicious landing page from a link in a WhatsApp message.

There is no single answer to all these problems, but for businesses and end users, a programme of security awareness training can minimise the risk of cyberattack, whether it’s from a phishing email, malvertising pop-ups on your iphone, or an outside caller with an apparently benign information request.

By switching everyone on to the telltale signs of an attempted breach, organisations can create a culture of security awareness that keeps cybersecurity personal – but without the blame.

Want your employees to better shoulder their fair share of the cyber burden?  Why not sign up for a free demo and find out how we’re already helping organisations just like yours.