Cyber security is not about machines. It is about trying to stop people falling victim to what is called social engineering — doing silly things, wittingly or otherwise, with computers. Up to 90 per cent of cyber attacks take place because computer users are both busy and gullible, a deadly combination. They open files they shouldn’t. They click on dodgy links. They put their details on social media. They use personal devices to access work files.
Recently some 40,000 Tesco Bank customers in the UK became the latest victims of a cyber attack. Cash was stolen from about half of them. The theft of money, as well as data, creates a new worry for financial institutions. If it becomes commonplace, customers may be scared off online banking platforms.
Despite the headlines, the cyber security industry has prioritised the development of expensive tech over teaching people how to protect themselves. Almost all of the $1tn projected to be spent globally on cyber security will go on digital defences, according to Cybersecurity Ventures, a research company.
As a consequence, most companies resemble a mansion rigged up with security — CCTV cameras, electric razor wire, sniffer dogs. These keep out all but the most determined villains. Unfortunately, as long as the residents continue to let in any passing stranger through the front door, this is a waste of money. It is not just below-stairs staff who are duped. The lord and lady of the manor — the C-Suite — are also ignorant of the basics of an effective security regime.
It is very difficult to school people in cyber security. The geeks and securocrats use unintelligible language. Yet we need to know about this because we are the greatest vulnerability.
Communication is the greatest failure of the cyber security industry. If it does not improve and we mortals continue to ignore good cyber hygiene through ignorance, the volume and impact of attacks will grow.
It has been a good year for cyber malfeasance. The US presidential election has been peppered by hacks and email controversies, while Ukraine suffered an attack on its electric grid, the first successful confirmed attack on a major national infrastructure.
The announcement of a UK National Cyber Security Strategy is welcome recognition of the seriousness of the situation. Britain now has its own Cyber Security Centre to co-ordinate responses to threats and educate institutions, companies and individuals.
Ironically, the entire cyber environment is about to change dramatically and the machines are finally going to take over. Not necessarily in a good way.
We are at the beginning of the next phase in the digital revolution — the internet of things. We can remotely turn on washing machines and burglar arms from mobile phones. But if we can access our machines from afar, so can hackers. A recent report detailed how hackers took remote control of a Jeep Cherokee by exploiting a vulnerability in its entertainment system.
CCTV cameras, chocolate vending machines and central heating systems contain computers vulnerable to being infected by malware. It does not take much for a hacker to take control of millions of devices and turn them into an army of zombie computers capable of attacking any target. This is the downside to the internet of things.
So let’s go back to that fortified mansion, now decked out with high-tech gadgetry. The staff no longer open the front door; this is done by a computer running a security check on callers. Unfortunately, those swish new curtains that close themselves when the light fades have secretly been told to open the door when a stranger appears.
It is convenient to turn on the heating in the country cottage from the M4, but we could end up starting a fire. The cyber security industry faces two massive challenges: — educating people and securing their Things.
The writer is author of ‘DarkMarket: How Hackers Became the New Mafia’