Once again it needs to be said: The weakest link in cybersecurity seems to be the people most at risk—people.
First, though: Did you know that there is an official “Cybersecurity National Action Plan”?
There is. You can look up a nine-page fact sheet issued by the White House in February.
It’s pretty impressive. Bolstered by the December 2015 passage of the Cybersecurity Act, it establishes a Commission on Enhancing National Cybersecurity and a formal position titled “Federal Chief Information Security Officer.”
The act builds upon a foundation put in place earlier by the Administration including Cybersecurity Cross-Agency Priority Goals and the 2015 Cybersecurity Strategy and Implementation Plan.
It’s worth wading through the fact sheet. Even if you weren’t aware of the plan itself, you’ve probably heard of the BuySecure Initiative, in which federal agencies have been issued chip-and-PIN cards and readers to make their financial transactions.
Or the Federal Trade Commission’s recently revamped IdentityTheft.gov website.
Or the National Cybersecurity Awareness Campaign, which sponsors National Cybersecurity Awareness Month, this year occurring in October.
Also, you’ve probably been at least somewhat aware of the increased emphasis lately on embracing multifactor authentication; increased opportunities for university-level cybersecurity curriculums (including student loan forgiveness programs for graduates who join the federal workforce); and Department of Homeland Security efforts to identify and prioritize protection of the country’s most sensitive infrastructures, including financial services, against cyberattack.
All in the Cybersecurity National Action Plan. So, to be sure, it looks like the government is taking cybersecurity seriously.
But the government is not only for the people. It is of the people, and by the people.
And people, again, are the weakest link in cybersecurity.
Like the game show says…
A sad litany of recent surveys points out this condition:
CardHub surveyed people and businesses six months out from the EMV-card liability transition—intended as a major cybersecurity effort—and found that 42% of retailers have not updated the terminals in any of their stores. Also, it found that 56% of people don’t care if the point-of-sale readers are chip-enabled.
And 41% don’t even know if they have a chip-enabled card!
TransUnion, late last year, conducted a wide-ranging security survey. It found that 86% of millennials store bank account information on their phones and 84% check financial accounts while connected to public wi-fi—both of which make them extremely susceptible to cybercrime.
Baby boomers were only slightly better in their behavior, with half storing important information on mobile devices and 54% checking financial accounts while connected to public wi-fi. Even the most basic of mobile protections—locking devices with passwords—is ignored by 67% of millennials.
SAS conducted a follow-up survey intended to show how concerned people are about their own security following reports of major data hacks and breaches. In 2014, 77% said they had heightened concerns; in 2015, that dropped to 63%.
Perhaps more troubling, SAS found that people who report the most worry about what businesses do with their personal information are also the most likely to go online, especially via mobile connections. One more finding: Only 13% said they are very likely to read the terms of agreement and privacy policies before they download new apps or make purchases.
Javelin reported that in 2015, 13.1 million people reported having their identity stolen, up 3% from the previous year. The good news: “Only” $15 billion was stolen, down 6% from 2014. Digging deeper, Javelin found that “consumers who do not trust their financial institutions and do not take advantage of the services offered by them are setting the stage for more damage if they become fraud victims.” Specifically, these people risk having their stolen information for 75% longer by fraudsters and are likely to incur 185% greater loss.
Io(t?)T: Internet of (trustworthy?) Things
The sad but seemingly inevitable result is, this situation is likely to get worse, particularly as the internet-of-things trend continues to grow.
BullGuard, an anti-malware and mobile security provider, recently issued a report claiming that 58% of consumers are very worried about hacks and breaches against their IoT devices, and 61% don’t know how to protect themselves from these risks.
IoT encompasses anything that connects to the internet—automobiles, televisions, thermostats, baby monitors, surveillance cameras, garage doors—even toothbrushes. (And even your electronic best friend Siri—a basic is Siri’s recommendations of what to check out on the internet.) Already, according to BullGuard, 37% of owners of such devices have reported security or privacy problems.
It’s not just techno-ignorant people at risk now.
Paul Lipman, BullGuard CEO, says as much:
“Most of us have been working with internet-connected devices such as computers, smartphones, and tablets for some time, but the internet-of-things is changing our perception of personal security, for both ourselves and our data. It’s not just those who consider themselves technophobes who have these concerns—tech-savvy users are saying the same.”
KPMG in December said much the same thing, in its own report.
“When it comes to the internet-of-things, you can believe the hype … IoT will likely be even bigger than most people think. But success in the IoT space will take more than slick applications, connected devices, and advanced analytics; it will also require a robust approach to security, privacy, and trust.”
Calling for cooperation, Gary Matuszak, KPMG’s global chair for Technology, Media, and Telecommunications, says:
“We believe that the technology sector must come together with other vertical and horizontal players in the IoT ecosystem to create a unified approach to security and standards that everyone can live by, and grow with. Today’s current state of fragmentation and competition on standards will only result in greater complexity for users and reduced growth for the sector.”
Worth noting: The government’s Cybersecurity National Action Plan devotes a bullet point to a joint effort of the Department of Homeland Security and Underwriters Laboratory and others to develop a “Cybersecurity Assurance Program” to test and certify networked devices within the IoT.
Looking beyond consumer apathy
Given all this, you can’t place all the blame on consumers being deliberately ignorant, apathetic, or indifferent—although, being humans, you can’t ignore these either. Other factors affect their behavior and their risk. For example:
• Too complacent? EMV itself, says Javelin, has shifted the emphasis from existing-card fraud to new-account fraud, which now accounts for 20% of fraud losses.
• “I agree … to something or other.” Privacy policies and terms often are too long and complicated to read, causing most people to check the “I agree” box without ever clicking the link to the document, says SAS.
• “So, I’ve got a chip card. Does it fit my smart phone?” Banks have gone to great lengths to educate customers about how to use EMV cards, but need to do more to educate customers about why they should use them, CardHub told Banking Exchange.
Don’t be a cyber-ostrich
Still it will be incumbent on us all—government, business, citizens—to focus on the insidious threat of cybercrime.
Cynics among us might be tempted gloss over the Cybersecurity National Action Plan as another D.C.-centered bureaucratic response that could fade away among myriad other bureaucratic responses to other social issues over generations.
Don’t be so cynical. You can look for something tangible to come out of it, at least this year. Its Commission on Enhancing National Cybersecurity, comprised of strategic, business, and technical thinkers from outside the government, have the duty by the end of 2016 of providing a roadmap for further cybersecurity measures.
It’s nice to have a plan. What’s yours?
Sources for this article include: