This year, the topic of the conference was Cyber warfare, Populism, and Security. The speakers and panellists included security professionals from private sector, European Court of Justice, European Commission, University of Cambridge CERT (Computer Emergency Response Team)and elsewhere. I’ve put together a list of 5 great thoughts (of course there was more) I took away from the conference.
1. Policy is pointless, we must educate users instead.
Virtually nobody reads the security policies that have put together for big organisations, such as universities — that goes for University of Cambridge as well as University of Manchester. Kieren Lovell, Head of CERT at the University of Cambridge, told us an example that speaks volumes: in a room full of people, they were asked to put up their hands if they have read the security policy, 3 people raised their hands, then everybody who had written the policy were asked to put their hands down, those 3 people put their hands down.
‘Knowledge without understanding is useless.’
Instead, we should educate the users, tell them how it affects them. When a lecturer is asked to change his <Surname1> password, he most probably does not care. However, if we mention that his/her research is at risk, he is much more likely to consider changing it. Again, Kieren Lovell brought a great example to illustrate it: a student was unable to hand in his Masters’ thesis in Cambridge, because somebody had submitted his thesis couple of days before, after hacking into his OneDrive account. If the IT team would have had approached him with a personalised message saying that this could happen, it probably wouldn’t have happened. Why is IT security here in the UK still decades behind and we are creating pointless policy that nobody reads? Why aren’t we approaching our users personally, telling them what matters to them?
2. ‘Blame Culture’
Each and every student is responsible […] for all actions undertaken using their University login credentials […].
3.4 Unacceptable use
[…] Other unacceptable use of University IT facilities includes the following activities, some of which may be unlawful in certain circumstances:
the introduction of malware (such as viruses) and/or password detecting software;
What happens when a staff member or a student reports cyber security threat/malware to IT team? Well, in University of Manchester, you could be held responsible for the introduction of malware (read more about Acceptable Use of IT Facilities and Services). So, why should you report it?
Instead of creating policies that discourage users from reporting malware, we should think about how to motivate them. The report from the user who first discovered the malware could be the key piece of information when tackling these situations. Unfortunately, blame culture is very common, and due to that many organisations don’t get any incident reports.
3. ‘The UK is never going to step up in cyber security without a digital identity.’
In many countries, including the UK there is no government-backed way to tell anyone in the Internet who you are — there is no way to prove your identity in the cyberspace. It might be the case that many countries do not tolerate numbering or tagging people, or the governments are just not interested in implementing digital identity, something that has been around for almost two decades in Estonia (read more about the country built on blockchain — e-Estonia).
Why is that a problem? Well, without digital identity there’s no secure way to sign documents digitally and prove who you are online. Without digital signature, we are restricted to signing documents physically and post them — we all know how insecure that is. Digital identity would also mean that there is always a trace left behind, whatever you do. It allows us to define ownership in the digital space. For example, in Estonia, people own their data. My information is owned by me and I can see everything that is happening to it — a few months ago I had to update my driving licence and I am able to see that the Road Administration has accessed my information for creating the new licence. If necessary, I can ask them more information regarding that. Similarly, I get a real-time notification when my identity has been used. Without digital identity all that wouldn’t be possible.
P.S. If you would like to know how to start a business in the EU in minutes, read more about e-Residency.
4. What or who to trust in cyber space and social media?
In real world, we usually trust people, until they do something to lose that trust, should we do the same in social media and cyber space? No, we shouldn’t. In social media, people tend to trust most of the content their friends share — no matter how credible the main source is. It’s been studied and it’s a fact. It’s also the main reason that helps fake news spread.
It’s something even I do, when my friends have shared something I believe the headline. So how can we stop spreading fake news? First, we should think before sharing something. In addition to thinking, we must act — fake news are essentially feeding populism and therefore they’re a threat to democracy.
We can act in many ways: (hackathon idea) build a(nother) fact bot that comments fact checks under fake news posts, or just submit a simple report to the social media website you’re using.
5. Don’t just think, act.
How are we going to tackle the threats in cyber world? The advice from the panellists, including Peter Woolsey, CEO of The Euro Baltic Software Alliance group, is the following: don’t just think, act, but think before you act!
It is good to see that University of Manchester is also not thinking but acting. The University has started a Cyber Security Programme to educate staff and students. Visit manchester.ac.uk/cyber to learn more.
Click here to find out what is cyber security and why should you care.