The title of this blog is possibly a little misleading. I’m not advocating no technology. For a start, I couldn’t write this blog without it. I just want to make the point tech isn’t the answer to everything and particularly that solutions to Cyber-Crime are not purely technical.
In a speech at the Billington Cyber Security Summit last week, Ciaran Martin, the incoming CEO of the National Cyber Security Centre set out how this new organisation will work. I applaud the establishment of this organisation. Cyber defences in the UK are currently disparate, competitive and confusing. You can’t fight a war with an army that is competing internally so to bring all functions under ‘one roof’ has to be a good start. Providing a ‘one stop shop’ for Cyber Security advice and guidance is great. However will it be a ‘one stop shop’?
After reading Mr Martin’s speech, I was concerned that there appears to be little or no focus on the softer side of Cyber Security. Nearly all of the speech concentrates on the technology solutions the organisation will put into place. There is no doubt that the solutions are innovative and as such possibly a little controversial, but even the best technology solutions cannot be the complete solution.
Let’s use an analogy of a secure building. We may build big walls and high fences, to ensure that these are not scaled we install anti-climb technology. We put access control on the doors with pin code assess for added security. The alarm systems cover any eventuality and there are cameras covering every perceivable angle. Shatterproof windows and break alarms are also a must. At great cost, we have it all covered. But we fail to tell staff the importance of keeping their access cards and details safe and the reasons why. Someone’s access card is stolen and because the pin code is difficult to remember they have written it on the card. Suddenly all the security mechanisms are redundant a potential villain has the keys to the castle.
This analogy can easily be aligned to Cyber-Crime. We can put all the security technology in place, but if one of the system users gives away the keys to the ‘IT Castle’ it will be in vain. Kevin Mitnick, probably the world’s most famous hacker stated in his book The Art of Deception: ‘the human factor is truly security’s weakest link’. This view is supported by the rise in social engineering attacks taking place in an attempt to circumvent the increases in technical security.
It is for this reason I was very disappointed not to see a ‘human’ element to the National Cyber Security Centre. UK businesses not only need technical advice, but they need to know how to educate their staff and what to educate their staff in. Let’s hope that tech is seen as a higher priority at this point and the Human Factors will soon follow.
Featured image by: Charles Stanford Flickr Commons