According to a study last year, a staggering nine out of ten cloud data breaches are caused by human error. The study, carried out by a major security firm, found that 90 per cent of cloud breaches are the result of preventable social engineering attacks that depend on company employees being conned into handing over organisational details such as usernames, passwords or even simply sending confidential spreadsheets and databases over email.
There is some disagreement over these statistics, with a 2018 study putting this figure significantly lower at just 40 per cent . However, this latter report did also include a number of worrying workplace trends. For example, a quarter of the US workers surveyed admitted to leaving their computers unlocked when they left their offices in the evening, and over a third (36 per cent) said that they kept sensitive documents in hard copy on their desks, unattended.
The cost of these breaches is not a trivial matter; one source estimates the average cost of a breach to be in the region of $3.92m, with the Norsk Hydro ransomware attack costing a blistering £45m. Furthermore, it’s worth remembering that the damage these attacks cause is not always simply financial; the Ashley Madison data breach in 2015 resulted in at least five suicides and countless incidents of blackmail.
The prevalence of these attacks might lead some to conclude that we are living in a world where security flaws are rife, and highly skilled hackers are targeting organisations on a daily basis. However, the other – perhaps more disturbing – possibility is that consumers simply take company cybersecurity for granted.
Taking security for granted
According to the Digital Quality of Life report, barely a third (34 per cent) of consumers believe that cybersecurity is important to their ‘digital quality of life’. Almost twice as many (66 per cent) say that they prefer a faster internet connection, rating speed as more important to them than staying safe online.
Furthermore, many consumers seem to have a somewhat blasé view of digital priorities. The same report found that only 11 per cent of the British public favoured easy access to e-government services such as the ability to vote online or find information about local schools and GPs. In contrast, 31 per cent rated access to online entertainment and pornography highly.
However, this could also be rooted in other issues. According to the Digital Quality of Life report, the UK’s online environment is not as healthy as it could be. For example, the average broadband speed in 2019 was 56.63Mbs, ranking only 31st in the world for overall speed, sandwiched between France and Israel. Switzerland, Norway and Iceland, in contrast, boast average broadband speeds at least twice as high as the United Kingdom, with Switzerland’s average speed reaching an extremely nippy 150Mbs.
The same is true for mobile internet speeds, with the UK ranking 37th in the world thanks to an average speed of just under 30Mbps, with the same three regions (Switzerland, Norway and Iceland) dominating the mobile speed records as well. This might seem to imply that British users understand that they are languishing at the bottom of the speed tables, and have simply prioritised what they lack – after all, the UK rates very highly in terms of national internet security.
That said, it’s also important to look at the root cause of this prioritisation – and with cybersecurity unsurprisingly absent from the National Curriculum, this education tends to fall firmly onto the shoulders of businesses.
The state of UK cyber-education
Unfortunately, data from antivirus provider ESET has found that a third of company employees receive no cybersecurity training at all, potentially leaving them to expose company data or make mistakes that are harmful to the company. This no doubt includes incidents like when a Snapchat employee emailed the payroll data of 700 staff to an external attacker.
A further third of employees only get cyber-security training once a year, with over half of IT managers agreeing that employees do need a greater understanding of the threats that the business faces. This seems to imply that although technology stakeholders understand the issues, they are unable to put their desires into practice, perhaps because of a lack of budget or implementation issues with the HR team.
Unfortunately, this leaves staff at the mercy of hearsay. In fact, over a third of staff learn about security from media and social sources – but when fake news and deepfakes can spread at the speed of light, this is dangerous to say the least. A similar percentage learn about cybersecurity from their family and friends, who are no doubt informed by the same sources. Only 19 per cent - less than a quarter – of staff get their information about security best practice from their employer.
The picture is not completely bleak; 48 per cent of UK consumers do understand and rate the need for data protection laws highly, although this is no doubt in some part due to the publicity around GDPR in 2018. Furthermore, as a country, the UK does rate highly for cybersecurity measures – in fact, according to the Digital Quality of Life report, it ranks first in the world, followed closely by the US, France and Lithuania.
Indeed, other countries do seem to be facing similar challenges; back in 2013, a study found that France had more victims of cybercrime than any other country. A whopping 41 per cent of French smartphone users had been victims of cybercrime, compared to 29 per cent in Europe as a whole, and 38 per cent worldwide. This went hand-in-hand with a lack of knowledge; half of the users surveyed did not know how to use antivirus software or set passwords correctly.
This has no doubt improved in recent years; President Emmanuel Macron has been steadily investing in technology and called for significantly better cybersecurity arrangements in 2018, noting cyberattacks, interference in online elections and IP theft as just a few of the online nasties to combat. Whether these measures have taken hold or not, it does show that the UK is not alone in facing knowledge problems.
Looking to the future
There’s little doubt that although hackers are becoming more and more ingenious at finding flaws in corporate security systems, consumers are still responsible for a significant share of cybersecurity vulnerabilities today. Hackers are growing smarter than ever, and as the complexity of our IT systems not only grows, but the use of technology spreads through almost every aspect of life today, it’s crucial that this rising tide is fought effectively.
And although the burden of cybersecurity education often falls on the shoulders of organisations and their IT teams, it’s equally important that IT security know-how is also embedded into our education system and that consumers themselves also take responsibility for keeping our national infrastructure secure.
Naomi Hodges, cybersecurity advisor, Surfshark