Have we lost the war? Or are we just fighting the wrong battles?

24 10 2014

It’s October, and so far this year the ‘bad guys’ have obtained well over 100 million customer records and a similar number of credit card details from a variety of organisations ranging from banks to hardware stores. Every day it seems another bad news story appears in The Register or even on the BBC informing us of yet another breach of security, software vulnerability, internet scam or infected cat video on You Tube.

Each news story prompts the rolling out of the same faces, making the same statements and wringing the same hands AND NOTHING CHANGES.

Whilst those who have been paying attention understand that we are no longer up against spotty faced kids in their bedrooms who switch between Doom (showing my age here) and hacking a web site for their entertainment, the wider community does not seem to have caught on.

Our adversaries are running multi million dollar, global enterprises with levels of organisational sophistication and technical expertise that many of their target companies could only dream of. They don’t have to worry about setting up committees and focus groups before deciding whether to raise a project to scope out the work necessary to request a budget to carry out a feasibility study into the value of implementing a new product. They just get on and do it, and in many cases do it extremely well.

That means that we’re always going to be behind the curve playing catchup, and with the pace of technology change we’re dropping behind.

So what do I think we should be doing? Well to use Tony Blair’s famous phrase from 2001 “Education, education education”, but not just in schools and universities.

People write poor code that can be exploited, people click on links in emails and download viruses, people give away their security information to anyone who offers them a free app, people decide on what budgets should be spent on security improvements and only people can make the changes necessary to give us half a chance.

Until most people ‘get it’ then the few of us in the security world who already ‘get it’ are just lone voices in the wilderness, seen as a bunch of geeks wheeled out for soundbites that are forgotten as soon as the next celeb leaves Big Brother.

Sure there are glimpses of change, initiatives such as the UK Governments Cyber Streetwise and Get Safe online (incidentally did you know that 20-26 October 2014 is Get safe online week? No, me neither), are baby steps in the right direction, as are moves by e-Skills UK to promote cyber security training, but none of them are really joined up, and very few make it into the public consciousness.

So how could we achieve effective education of those who really matter?

There is no magic bullet, no one panacea for all our ills, but one thing we do know about the western world is that if something has a celebrity angle, involves reality TV or appears in a soap opera, boy does it get discussed around the coffee machine. If people feel they are directly affected by something (even if they aren’t) then there is a clamour to ‘get something done’ about it. So if we can pique their interest about something that they are affected by then who knows what might happen.

Maybe, just maybe, if we were able to get the conversation going at the soap opera level, that would get the message to the masses. If the scripts were written in an interesting and accurate manner with real human interest about the victims, maybe that would provoke a reaction. If real solutions and suggestions were offered in a joined up way, maybe that would encourage people to find out more and create a demand for change, and change themselves.

We know that simple things like running an up to date operating system and browser, thinking before clicking, not sharing your personal information with the world at large will all help make you less of a target. The other 99% of the population don’t, and most of them don’t even know they don’t know. Until that changes no amount of firewalls, IDS, IPS, anti-malware or any other technical security will win the war for us. No burglar will waste their time picking the locks of the back door when the front door is wide open and the burglar alarm is turned off.

As a start we need to remind people why they have a lock on their front door, and that leaving the key on the doormat or not locking it at all is plain stupid. Once we get that message understood then we can start with the more sophisticated stuff.

That’s my two-penneth worth. Maybe you agree or maybe you think I’m being too simplistic, not clever enough or just dumb? Either way, I’d love to hear what you think so please leave me some comments and if you are a script writer on Coronation Street or Hollyoaks let me know and we can have a chat.

Keep safe

David

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s




%d bloggers like this: