I’ve been doing a lot of research on cyber security and credit card security recently. There have been a high number of well-publicised failures – such as Target and the US Government Office of Personnel Management– not to mention Ashley Madison. The list seems to grow and grow.
These suggest that hackers can access many types of system – even those that ought to be the most secure. Further examples are the large number of Wikileaks episodes, which demonstrate that even a technically secure system is vulnerable to someone with legitimate access but different motives. (This was always possible, of course: but the problem with IT systems is they make it possible to take so much more information out with you than the days when you had to use a Minox camera!)
The ‘Economist’ recently argued that companies should learn lessons from intelligence services and create ‘defence in depth’ – “to minimise the damage when someone does break in, and if possible, to turn the situation to their advantage.” This can be done by compartmentalising information, training staff to inculcate good security habits, and by using creative deception strategies. The ‘Economist’ ends by recommending rather more paranoia.
However, the fact is that so much of our lives is now on the internet that there is little option but to trust it. One personal equivalent of corporate paranoia is to have many passwords, for example. But every website these days insists on a password and email address (for marketing purposes, I suspect, not security.) My own list of passwords is now over 90 long.
In the end there is no ‘silver bullet’. We’re stuck with cyber crime, and the old innocent days when you put things on the internet without thinking too much about it are just nostalgia, like those days when people in the countryside never used to lock their doors (or so they say.) As Peter Trim and I argued in our book on Cybersecurity Culture, you have to develop an internal culture that helps you to anticipate attacks and react to them.
Simulating these attacks is one good way of doing this, allowing organisations and people to practice their responses without having the pain of the real thing. One of the most difficult things we’ve found is actually recognising when you’ve been attacked. First comes ignorance, or denial; then over-reaction, which can be more harmful than the attack itself. But if you investigate the problem, it is not quite so frightening if it ever does happen; and if you practice dealing with it, you can learn to minimise damage quite effectively. We all live with insecurity in most aspects of our lives: looking for 100% security on the internet is a dangerous mirage.