What challenges or threats do you see in the field of cybersecurity?
– Cybersecurity is such a broad field, so you can see multiple challenges. Looking from a tactical angle maybe it would be a possible introduction of quantum computing, which may fundamentally undermine many cryptographic principles on which the current systems are built. Other technologies, that are underway, could be also disruptive. On the other hand, it is not only technology, it is also geopolitical events that can impact cybersecurity. They are not necessary predictable, but still we have to react to them, and this can range from international conflict to simple things like a civil servant leaving their laptop with some sensitive data. The challenges can also vary from a technology point of view and from a policy point of view. You have to design solutions that are flexible and try to take all these unknowns into account without being too burdensome on someone’s current resources. So I think the challenges in cyber sphere are definitely multi-faceted and pointing out a single one always depends on who you are talking to, in what sector they’re involved, and what problems they try to solve. They will be different for someone who works in critical infrastructure, to someone who works in education, to someone who is in non-profit.
Are humans really the weakest element of cyber system?
– I think it is both yes and no. Because sometimes humans are very soft targets, they are easy to compromise. There are plenty examples of that. But the same time, humans could also be viewed as a first line of defense, and if you train and educate them properly, they potentially could be more effective than any technological solution you can implement. Technological defenses are useful, but the same time they often are viewed as a hindrance to productivity. Technology must be designed for human use. You can’t just focus on one or the other. To make sure the human isn’t the weakest element you must enable the human to be the strongest. You have to equip them both with knowledge and understanding why cybersecurity is so important and with some best practices. But also give them user-friendly technologies they can work with, not hinder them. Too often technology developers don’t keep user experience in mind and end up designing something not user-friendly. In cybersecurity this often seems to be a case. The classic example is PGP-encrypted e-mail – if you ever have used the PGP-encryption for mail – it is not user-friendly at all.
Is that our price for progress?
– All new technologies come with benefits and disadvantages and some even come with direct threats. We just have to adapt and try to foresee which challenges will come and how they will impact what we currently do. In some cases this is a radical shift. The internet is a fairly radical shift in scale, for example, in communications. But ultimately the digital world is just doing the same things we have always done, just faster with more transactions.
Which methods or approaches can be useful related to cybersecurity?
– Again this is too wide a question because of the whole spectrum of what cybersecurity means. But if we talk about people protecting themselves as individuals – that is useful starting point. The first thing you always have to do is to ask who am I protecting myself from, what are my threats or what am I try to avoid or mitigate against. As a private person you would probably be most concerned about compromise of personal accounts, not necessarily social media accounts, but bank accounts. Luckily, the way security culture is currently set up is that banks take a lot of the hit if an account is compromised; banks will pay for damages happened or reimburse your money. To stop this happening, banks make you carry out some security services, such as giving us some two-factorial identification devices, which is great.
One controversial aspect is that if you want to force people to improve their personal security, you need to make them responsible for the damage that could happen. Because they can’t outsource their security to other people, they have to be secure themselves, or otherwise to pay the costs when something goes wrong. Insurance is another interesting mechanism for that. You can encourage people to be more secure through adoption of cyber insurance – better security practices drive down insurance premiums. The insurance industry been tackling this for the past few years and time will tell whether it will lead to improvements in security.
From a personal point of view, little simple things might be obvious but useful. For example: use strong passwords. Passwords are a terrible mechanism, but unfortunately we are stuck with them. One solution is to use a password manager, which means you have to remember one strong password and everything else would be automated for the other websites you plan to visit. Another example is to be sensible with the things you post on the internet, especially if it is a public forum, and consider differences between “public” and “friends only” settings on social media. A few more examples might be:
- To use a passcode on your phone or fingerprint sensor
- Don’t plug in any USB devices that you don’t know where they are from
- Not opening attachments in e-mail. This is a contentious one, because that’s what email was built for – to send each other links or attachments. But the key is if you don’t know the sender – be aware.
- Be sure you have turned off macros in Microsoft Office software.
These steps are simple and can be called a “cyber hygiene”. In the medical context such small steps add up. You wash your hands when you go to the bathroom – the same way you need to lock your PC when you leave it. Little habits can make a big difference.
How to deal with older generation, especially if we talk about those, who work in sensible government organizations?
– Lot of stuff that we discussed in the previous question is very applicable here. There are of course technological solutions, so you can limit the potential damage the users can cause. If they click on a harmful attachment or a suspicious link – thees solutions will open them in sandbox, so malware does not spread throughout your network. But this is a technical solution for human problem. You need human solutions. The users don’t have to be technical experts, they don’t have to understand what is going on the background, but they have to understand the risks associated with their behavior. For government organizations you need a team for user assistance, for example to check attachments in e-mails. The main thing is that you need to reinforce good behavior. If you find that your users are flagging e-mails, and do this correctly, you have to give them some kind of reward. It’s a carrot and stick scenario. Stimulating good behavior is more effective than punishing mistakes.
Coming to another vulnerable category – how to protect kids? How to teach them cybersecurity?
– It is not too different from the previous answer. Kids have the same problems, but come from different directions. Where is the older generation maybe don’t understand the technology, because the technology is too new, the younger generation understand how to use the technology, but only on the top layer, the application layer if you will. They are experts in using Instagram, Facebook and Snapchat, but they don’t know how it actually works. If you understand the underline technology, you understand how something can be secure or insecure. But not everybody wants to be a computer scientist, not everybody should.
When is a proper time to teach them?
– I would say, even before they get their hands on a digital device. You don’t get to drive a car before knowing the principles of the road, you need to have done some kind of theory and practice before. We don’t need to mandate all people to learn all principles and laws in cybersecurity, this would be counter-productive. But it could be really useful if kids could be introduced to cybersecurity at an early age. If you are parents I would absolutely encourage you to say a word or two about what is safe behavior if you putting a smartphone or tablet in your kid’s hands. It is a matter of parental responsibility. Security is perhaps not the right concept for that age group, we can instead frame it in terms of safety.
Who can be an example for kids?
– Pop-stars, or even cartoon heroes. It would be great to have, for example, Justin Bieber for that. They don’t even have to say anything on the topic, but need to project the right kind of behavior. Kids copy role models, whether that be parents, celebrities or friends. If they see them behave in a certain way, they will try to copy that. So it is really about setting good examples, via cartoons for younger kids, or with the help of celebrities for teenagers. But I’m skeptical that anyone would want to watch a special cybersafety cartoon on a Friday evening. This needs to be built-in to existing movies or cartoons. Same for pop-stars; it might don’t work if they just come up on the stage saying “come on, let’s be cybersecure”. The message only works if the people who saying the message are also doing it. You’ve got to practice what you preach, and that is not only for celebrities, but also for parents.
Andreas Haggman is an Emerging Risks Research Analyst at Willis Towers Watson, focusing on issues around cybersecurity, geopolitics, and future trends. He is also finishing a PhD in the Centre for Doctoral Training at Royal Holloway University of London. Andreas’ thesis investigates the use of tabletop wargames for cyber security education and awareness training. He received BA (Hons) and MA degrees from the Department of War Studies at King’s College London and spent time in the video games industry, retail management, and the defence sector before recently joining the insurance industry.