If the current Cybersecurity Awareness Month is to penetrate the public’s attention, then it needs to ensure it gets the message correct, particularly if the public is sold on “functionality, not security and privacy.”
Speaking to Infosecurity on the subject recently was Sir Rob Wainwright, senior partner at Deloitte and a former executive director of Europol where he helped establish the European Counter Terrorism Centre and the European Cybercrime Centre, following a 28-year career in intelligence, policing, government, EU and international affairs.
Wainwright said that the IoT is a significant part of the infrastructure that attackers are looking to exploit and cited some of the key issues regarding awareness around IoT security.
“The awareness is strong in government and law enforcement, but among consumers and even manufacturers, less so. The problem that has been there for a number of years is the [manufacturers] are driven by a different bottom line, which is to capitalize on their great new invention and to be the first to market.”
This is a commercial driver, but Wainwright said he felt embedding security into the R&D of these devices “has not featured as a top priority” and too much of a “release now, patch” later has been used, and the concept of “security by design” is not part of the culture of how companies think and act.
“The public is probably waking up to the threat of security and privacy”
Wainwright argued that the public had been sold on functionality, not security and privacy, but that the public was probably “waking up to the threat of security and privacy.” He cited the raised awareness of privacy issues, particularly where we don’t want our data to be used and shared, and called this awakening helpful “as it will promote this better culture in the industry.”
He cited the common use of standard passwords, and one case he worked on at Europol where the default password could not be changed, which could enable cyber-criminals to carry out attacks easily.
As for awareness month, how much did he feel these sort of campaigns actually generate interest? He said that having run campaigns at Europol, especially in the case where the public were encouraged to help identify locations or items in child abuse images, such campaigns can “excite the public attention,” but often it does require “something over and above the norm.”
He said without the engagement of the public being secured, you can get lost among other news coverage, and in particular with the US election taking place next month. He admitted that the challenge of having any impact in an awareness month can “run the risk of repeating mantras and lecturing” and this requires finding a hook, that can often come from a major cybersecurity story, which can be used “to counter this saturation effect.”
Concluding, Wainwright said that greater focus should be put on awareness around data, rather than on financial crime, as often organizations are not as concerned about cyber-attacks as they presume they are not a target.
“In terms of cybersecurity awareness, the focus on data has to be greater,” he said, adding that there is an interesting overlay with data ethics – where privacy meets security – which is about doing the right thing with the data, and that means protecting it.
Sir Rob Wainwright will be speaking at the Post-COVID Summit, organized by Atomium-EISMD, 15-17 June 2021