Cyber security and peer pressure

Cyber security training – most IT security people would say that’s the answer to solving the insider threat problem.

But is it? Giving people information is certainly part of the solution. But training rarely changes behaviour.

Peer pressure does.

And that is why socialising safe cyber behaviour is an essential strategy if you want to ensure cyber security.

What does socialising cyber safety mean?

Socialising safe cyber behaviour involves changing an organisation’s culture so that unsafe cyber behaviour becomes as socially unacceptable as bullying and sexual harassment. It uses peer pressure or “social influence” to steer people into an acceptable way of behaving.

One of the reasons that peer pressure works is because most people like being in groups. Being in a group is safer than being isolated and, because humans evolved in a very dangerous world full of nasty predators (including other humans), we are hard wired to want this.

If we want to belong to a particular group it helps a lot to behave like the other people in the group – wearing the same types of clothing, supporting the same football team, looking, sounding, thinking and behaving like them.

In other words, people in a group often think in similar ways. Promote the right way of thinking and you can use the people’s need to be in a group to enhance cyber security and encourage cyber safe behaviour.

Following the herd

The most powerful way of doing this is to make safe behaviour seem to be what everyone else does – the “social norm”. There is lots of evidence that telling people about social norms changes people’s behaviour.

A good example of a company that successfully used social norms to change people’s behaviour is Opower a US energy company. Opower wanted to drive energy use down. It tried several messages to do this such as:

  • You can save $54 this month
  • You can save the planet
  • You can be a good citizen

None of these were particularly successful. So they tried a fourth message along the lines of:

  • Your neighbours are doing better than you

The results were amazing: more than 75% of the people who found this out started to save energy. In the same way, a message along the lines of  “83% of your colleagues never click on links in emails from unknown sources” is likely to influence people.

Mirroring

Making safe behaviour “visible” is another effective technique. People have a tendency to follow other people, as we have seen. So if one person is seen as behaving in a particular way, then others are likely to follow.

You are in the canteen when the person behind you at the counter sees what you have on our tray and says “That looks nice. I’ll have one of those.” Why do they do it? It might be because they didn’t notice it before. But it is just as likely to be because they want to make a good impression on you by imitating you.

You will see this with body language too. When you are sitting opposite someone try changing your posture: cross your legs, fold your arms, rub your chin. The chances are the person opposite will “mirror” at least some of your changes in posture.

The same with cyber security. If one person acts in a particular way, then people near them may well imitate them. For instance, if you can get someone to claim they always use a complicated password to log on or say “No way I’d log on to our corporate network using Costalotta’s free wi-fi”, then others may well follow their lead.

Leading

People follow authority figures. So you want your leaders to act in a cyber safe manner.

There are different sorts of leaders in any group. I’d always suggest that you try to get your organisation’s formal leaders to act in a visibly cyber safe way (or at least avoid obviously unsafe behaviour).

But the CEO might not have much credibility when it comes to technology. One of the new interns may be far more credible, and influential. Or perhaps there are some popular social leaders in your organisation: these too will have lots of leadership power. Empowering your leaders to act as cyber safety role models will pay dividends.

Incentivising the group

Using group rewards that disappear if anyone steps out of line is an interesting idea. With this technique there is a reward when everyone behaves well but no one gains if only one person behaves wrongly. And as most people dislike being unpopular they do their utmost to ensure that others don’t lose out.

Creative agency 23Red used this technique to get people to complete their time sheets.

Of course this technique only works if everyone belongs to the same social group. If there is a clique of people, perhaps in sales, who don’t interact much with the rest of the organisation, then they may well not feel obliged to behave well for the sake of their colleagues.

Social shaming

This is a little controversial, although I have seen it used successfully as a way of keeping the size of email directories down. With this technique bad behaviour is reported publicly – the digital equivalent to being put in the stocks. People may not throw cabbages at you but it still embarrassing to be called out in front of your peers for antisocial behaviour.

Peer groups

It may be practical to start the socialising process off using one or more small groups rather than trying to influence the whole of an organisation. Socialising behaviour in a small group has obvious limitations, but get some people to engage with cyber safety and their behaviour will soon be copied by others.

Cyber security expert Richard Knowlton suggested to me that telling stories in groups is a great way of generating understanding and acceptance of the threats that cyber brings. “My email was hacked…”, “I definitely got a phishing message on LinkedIn the other day…”, “One of my friends was emailed a fraudulent invoice the other day…” Share stories and you bring the problem to life and make it seem relevant for the people in your group.

You can even think about generating solutions as a group. Thinking tends to converge when people are in small groups, especially when people are faced with a hard problem. If you set your group a cyber threat problem they will probably come up with a common view of how to solve it.

Of course you want that view to be effective and practical, so you may want one or two “stooges” in your group who have been briefed about good solutions and who can lead the conversation in the right direction. But once you have arrived at the solution, the whole group are likely to agree with it as they have been involved in uncovering it.

Rewarding good behaviour

Providing public rewards and status can also generate social pressure. If people who have behaved safely – perhaps challenging a stranger who isn’t wearing a visitor’s badge, or politely suggesting to their boss that they shouldn’t use the business centre’s PC to log into the office network – are rewarded, and if the rewards are made public, that will encourage others.

Sales teams often work this way, with the most successful salesperson being publicly rewarded, and applauded by his (no doubt slightly envious) peers. The key to this is to make the reward public: “Cyber Safe Employee of the Month” notices, mugs and mouse mats, special privileges such as being allowed to go home early…

All in all…

Socialising cyber safe behaviour is a very powerful tool. It isn’t the only tool you can use of course, and it’s not a magic wand. You will need the right tools and the right processes in place as well. But used with imagination it can make a big difference to your cyber security as well as helping more general team bonding.

Keep cyber safe!

Advertisements

Does your cyber security have the right aura?

Can cyber security have auras?

How can cyber security have an “aura”? It sounds like a meaningless question. But step back a little and think about how direct marketing works.

Commonly, people in direct marketing use a simple mnemonic to describe the steps they take consumers through when persuading them to buy: AURAL. I think this is relevant for cyber security.

AURAL stands for Awareness, Understanding, Relevance, Action, and Loyalty. In other words:

  1. You start by making people aware of your product
  2. You move on to helping them understand what it does – its benefits and features
  3. Then you persuade them that the product is relevant for their own needs, that it solves a particular problem they have
  4. Next you call them to the action you want them to take, which is generally putting their hand in their pocket and shelling out for whatever you are selling
  5. And finally you hope to generate some loyalty so that they will come back and buy again, and perhaps even recommend your product to their friends.

As I said, this process (which by the way doesn’t have to be linear) is pretty relevant for cyber security too. Except that “loyalty” isn’t really appropriate. But rather than simply getting rid of the “L” I am going to change it to an S: AURAS. The final S stands for Socialise. You will see what I mean in a moment.

So what do I mean by “AURAS”?

Awareness

As with direct marketing, in cyber security we need Awareness. This is aimed at keeping cyber threats, and the need for cyber security, at the front of everyone’s minds.

You might create awareness with posters (remember to move them around and change their message so that people don’t become blind to them), emails (personalised messages can be highly effective), messages when people start their computers up or start to do certain things (again remember to change them), even things like mugs and mouse mats which can be given to reward cyber safe behaviour.

Understanding

It isn’t enough to be aware of a threat though. People also need Understanding about what they can do. For instance, if you have a policy of insisting on complex passwords that are changed every month then you need to give people the tools to do this – otherwise they are likely to write their passwords down on sticky notes and put them on their monitors, hardly the cyber safe behaviour you want to encourage. (There is a hint about complex passwords at the end of this post.) This is where training comes in: helping people understand how they need to behave to keep safe.

Relevance

You also need to ensure that people feel the training they have had has real Relevance to their own lives. Not everyone lives to work. Most people regard work as a way of getting the things they want in life. Of course their job is important – so stressing that unsafe behaviour could damage their employer, and hence their own job, is one tactic.

A stronger tactic though (and one that might even generate a bit of gratitude) is to show them how being cyber safe can help them outside their work life – protecting their identity, their bank accounts, their children’s physical safety.

Action

Now you need to call them to Action. This involves communication at the moment they are doing something. For instance, BAE’s email security service has a very handy feature: if a user is tempted to click on a link in an email (generally accepted as unsafe behaviour unless you are certain who the email is from) they can be served a CAPTCHA image which makes them stop and think about what they are doing before they click on the link.

(I haven’t seen these images: it would be nice to think that instead of a standard CAPTCHA image such as a random set of numbers they contain a little message like “Are you sure?” or “Links can hurt”.)

Socialise

And finally you need to Socialise cyber safe behaviour into the organisation. The aim will be to make unsafe behaviour socially unacceptable – just as drink driving, not showering after a lunchtime run, or eating fish soup at your desk are all pretty unacceptable.

One of the most powerful way of socialising behaviour is telling people that the majority of their fellows act in the way you are hoping to persuade them to act.This doesn’t have to be complicated. For instance Northern Illinois University halved the amount of binge drinking by students simply by promoting the message “Most students drink in moderation.” People follow the crowd.

AURAS

AURAS: it’s a great way of thinking about the different things you need to do to change the way people think about cyber security and to change the way they behave.

An easy way to complex passwords

Now I did say I would give you a tip about remembering complex passwords that change every month. It’s easy. You need two things: a memorable phrase; and a date “protocol” (I’ll explain).

Let’s say your IT people have demanded a password of at least 12 characters that includes at least one of each of the following: upper case letter, lower case letter, number and symbol. They also want you to change it every month.

First of all, the phrase. This isn’t the same as a “pass phrase” where people use several words as a passwords: there is some evidence that this isn’t very secure.

You need to think of a phrase such as: I love my job at Acme Widgets, Dorking! Take the first letter of each word and the symbols and you get: 1lmj@AW,D! (the word “at” is useful as it turns nicely into a symbol and the “I” is useful as you can turn it into a number 1).

Now think about a date “protocol”. A really simple one might be to use the first of the month. It’s October 2015 so that makes: 01 10 15. Just for a bit of fun I am going to put the first thee numbers at the start and the last three numbers at the end. So my password this month is: 0111lmj@AW,D!015. Easy to remember and I can change it every month.

Keep cyber safe!

Why Human Resources need to engage with cyber security

You may think that cyber security is something for your IT department to manage. If you work in Human Resources, you need to think again. Because cyber security is very much your responsibility.

No, I am not saying you need to go around seeing if your organisation has installed the latest firewall or if all your Internet of Things ports have been secured.

What you do need to do though, is to check whether your colleagues across the organisation are cyber safe.

That’s because only around one third of data breaches are caused by malicious outsiders. The rest are caused by insiders, your colleagues: acting foolishly, carelessly, and yes sometimes maliciously.

What can go wrong? A lot of things. Personal information about customers is leaked because a laptop gets left in a taxi.  An email leads to an unintentional contract variation. A social media posts leads to a libel suits. An unwary worker shares their log-in details, leading to data theft.

So what should you be doing?

Start with strategy

A good place to start is strategy. Most organisations have some understanding of cyber risk. But often they focus on protecting corporate networks from external risks such as hackers. What is your organisation’s cyber security strategy? Does it include sufficient analysis of internal “human” risks? If it doesn’t then you need to work with the Information Security team to identify and manage these human risks.

Develop practical policies

Developing appropriate policies to help manage cyber security and spell out the “rules” is important. You are likely to need policies in several areas: web and computer use, data privacy, social media use at work, a “Bring your own device” policy to manage personal phones and tablets, and even policies about the software and cloud services that people are allowed to use.

Writing these policies should not be a “tick box” exercise. They need to make sense: they should be easy to understand by everyone in the organisation; and they need to benefit your organisation. They shouldn’t simply be designed to make the IT department’s life easier. Sure, pouring digital super-glue into all the USB ports would stop people uploading corporate data to insecure USB sticks, but it might not improve business efficiency. HR executives, with a feel for wider business needs, as well as an understanding of what will motivate or demotivate employees, are an essential part of any cyber policy development process.

Training: tell people how they should behave

The next step is training. Training is essential because without it most people won’t know how to act in a cyber safe manner.

You might as well accept that almost no one is going to read your policies. So you will have to tell everybody about them, face to face. And it won’t be enough to read out a list of rules and corresponding sanctions for disobedience. Apart from putting everyone’s backs up, people will generally ignore rules if they don’t know why they are in place. You will need to explain what the rules mean, why keeping to them is important, and quite possibly when they can be ignored (and when they can’t).

You will need to train the way people think too. This isn’t just about describing dangers: it’s about how people interact safely with colleagues, with suppliers and customers, and with people outside the organisation. It’s not about following rigid processes: it’s about understanding how to avoid risk in the first place. For instance you can’t tell people the precise information to avoid sharing on social media. But you can help them understand what types of information they shouldn’t share and how competitors can draw conclusions from seemingly innocent pieces of data.

Build continued awareness

Don’t think a one-off (or even annual) training session will cut it though. You need to keep awareness of cyber safe behaviour at the front of people’s minds. This means developing assets designed to deliver continued awareness of cyber risks – posters (that change design and location regularly), screen savers, sign in messages, even mouse mats and mugs.

Develop a cyber secure culture

An even more important issue for HR to address is culture. An organisation that doesn’t take cyber security seriously is unlikely to be changed by training and awareness. HR may need to address underlying cultural assumptions.

Start by auditing the security culture. Do this from the perspective of employees: what cyber risks do they know of; what do they think of existing security processes; to what extent do they feel security is their responsibility? And do it from the perspective of the organisation: how are employees expected to behave; what sort of resources are provided for security; is dangerous behaviour stopped, tolerated – or not even noticed.

Once you know what needs to change, you can start thinking about how to do that. Build persuasion tools, such as leader boards of cyber-safe behaviour; incentivise safe behaviour with praise or other rewards – and make sure it is not disincentivised accidentally; ensure that leaders walk the cyber security walk; develop an intolerance to unsafe behaviour. (“Why are you putting my job at risk by doing that?”)

But don’t develop a blame culture. That way you will just drive unsafe behaviour underground.

Encourage people to be less trusting

Sadly, one element of culture you will need to work on is trust. People are often very trusting and this can be a problem for cyber security. They need to be taught to question: emails don’t always come from the people they appear to, friendly people on the phone aren’t always who they say they are, confident people striding round the office without a visitor’s badge don’t necessarily have the right to be there. Defending against people who take advantage of trust doesn’t need complex software: it needs awareness, sometimes combined with robust processes.

Make sure cyber security is usable

HR teams also need to work on the usability of any security processes.

By their nature most IT people are very logical. In addition they understand the purpose of systems they are developing. And of course they are focussed on their responsibility to protect IT systems.

In HR you are also focussed on cyber security. But you may have a wider view of the organisation. Almost certainly you understand what motivates people. You understand how people perform their tasks. And you probably provide a receptive ear to frustrated colleagues. In fact you are probably going to be one of the first people to hear about cyber security initiatives that are counter productive – because they cause blocks in efficiency. And you may even hear how people would like to alter them.

All this means that you are in pole position to identify usability problems, to construct the analysis that proves (to sceptical colleagues in IT) problems exist and to make the case for change.

Monitor “off network” activities

Not everything that should concern your organisation will be happening within your corporate network. You colleagues, almost inevitably, will be using social media. And many will be commenting on colleagues, clients, your organisation and your industry. In addition they may be using cloud computing services such as Drop Box and Google Docs to store, edit and share corporate information. This type of activity needs to be managed, to preserve information security and to protect reputation.

Recruit sensibly

When recruiting, watch out for people who may not be cyber secure. Anyone who comes from a competitor boasting they can bring a list of clients on a disk may well be less than trustworthy. You might also need to think twice about people whose social media posts are irresponsible – perhaps complaining about their current employers or giving information away about new initiatives.

Keep an eye on risky people

Some people will be higher risks than others. Sometimes this will be a result of personality. For instance sales people are likely to me more open, and possibly more trusting, than finance people. But that’s not where the real risk lies. The people you will need to monitor most closely are those who feel disengaged from your organisation. These may include temporary staff, new recruits during a probation period, people on low pay or in boring jobs, people who have handed their notice in, and people who are having difficulties at work, perhaps experiencing disciplinary procedures.

Yes, cyber security really is an issue for HR

Human Resources managers may not be particularly focussed on technology. But they have a responsibility to learn about cyber security because the role that HR can play in preserving security is an enormous one. In other words, if your HR and IT departments are not working closely together on cyber security you are opening your organisation up to some major and unnecessary risks.

Eight steps to change cyber security culture

Hackers are always a problem. And naturally, your IT Department has network security buttoned down. But they are probably more worried about something else: you and your colleagues.

The big challenge in cyber security is people. It is how to change an organisation’s culture from relying on IT for security into one where everyone takes responsibility. Everyone, from the CEO to the newest intern.

John Kotter famously proposed an eight step process for changing organisational culture, starting with “Establish a sense of urgency” and finishing with “Institutionalise the change”. Well, most people realise that the cyber security problem is pretty urgent. So I thought I’d outline a separate set of eight steps that organisations can follow to strengthen their cyber security culture.

Step 1. Build your guiding coalition

Start by building a multifunctional team to guide change. Cyber security shouldn’t be the responsibility of IT, so you will need people from across the organisation to be involved: sales, marketing. operations, finance… This is essential so you get buy in across the organisation.

More importantly though, if your approach to security doesn’t take account of the way people work, it will fail.

Step 2. Form your vision and scope out your intentions

Next you need to form your vision for cyber security. That should be simple: to protect your assets, reputation, efficiency and information from computer based threats, and to ensure that your digital information is private, is accessible by people who have authority, and has integrity (think “the truth, the whole truth and nothing but the truth”).

In addition you will need to identify the scope of your vision: who it applies to, and what assets, processes and information is relevant. You will also need – and this is a big task – to identify the risks that your vision faces and how best to manage them.

Step 3. Define the details of what you want to achieve

Out of your vision will come the detailed policies you need around cyber security (including policies on IT and web use, Bring your own device, Privacy, and Social media). These need to be expressed in clear language: avoid techie jargon at all costs. Having a truly multifunctional team should mean that the policies should be relevant and effective for your whole organisation.

Step 4. Build new processes

Based on your policies you will be able to identify the tools you need to implement and the processes you need to develop that will help to protect you from cyber risks. It is vital to include a cross section of employees in the design of these systems. Without them you are likely to end up with unusable, frustrating and inflexible processes. If that happens your workforce will soon be looking for ways to work around them. So remove any barriers to people being cyber safe.

Step 5. Educate

Bring your policies to your workforce and educate them about any new tools and processes. Tell them why cyber security is important – for your organisation but also for them personally. And make sure they understand what they should do if they have problems or if things go wrong (as they surely will).

Don’t rely on one off training sessions: make sure that security is constantly “front of mind” with reminders using different techniques, messages and media hitting them as often as possible.

Step 6. Persuade

You can “educate” all you want, but if you fail to persuade them about the importance and effectiveness of what you are proposing then you won’t change anyone’s behaviour.

There are lots of methods that you can steal from marketing and from behavioural economics here. For instance, make sure authority and other credible figures are seen to follow the rules (if the Chief Exec is lax with security you can be certain everyone will happily follow their example). Prove to people that your new ways of working actually deliver benefits. Help people realise that they face constant and sometimes personal risks but (and this is very important) that there is plenty they can do to keep safe.

Keep an eye on how people are incentivised as well. Not about cyber security but about their every day tasks. Don’t put incentives in place that could persuade people to behave in an insecure manner.

Step 7. Socialise cyber security

Kotter talks about “enlisting a volunteer army” and that’s exactly what you have to do. You need everyone in your organisation buying in to the idea of cyber security. Part of this will be ensuring that “the organisation” behaves properly: if it is seen to be cavalier with the security of customer data for instance your internal processes will lose credibility. Ultimately you want your workforce disapproving of people who behave unsafely.

Disapproval doesn’t mean developing a blame culture. That would be very damaging – given the ever changing nature of cyber threats you need people to be able to feel safe if they make a mistake or if they respond wrongly to a new threat. But you do need people to accept cyber safety as the norm and as something that has value in protecting their career and indeed themselves personally, as well as protecting their colleagues and the organisation as a whole.

You might want to take some ideas from Sales as well – leader-boards for people who are particularly effective, prizes for good behaviour, simple recognition for jobs well done…

Step 8 Monitor and enforce

Measurement is very important. Your organisation needs to know how well it is maintaining a positive security culture. Identify some relevant KPIs so you will know if you need to take remedial action.

Enforcement is also important. If people who act unsafely are seen to get away with it then others will quickly follow them. Regular negligence and malicious behaviour may need disciplinary sanctions. More often than not though, you will simply need to offer a little “re-education”. And treat this as a learning opportunity for the organisation as well as the individual concerned. After all if someone is regularly breaking the rules it could well be the fault of the rules!

Selling cyber security to the Board

Fact 1. Almost all businesses rely on computer technology and this reliance is increasing.

Fact 2. Last year around two thirds of British SMEs experienced a cyber attack.

Fact 3. Two thirds of SMEs don’t regard themselves at risk from cyber attacks

Why is there this big disconnect between the risks that SMEs (and in fact all organisations) face, and the way that risk is perceived? Perhaps it is something to do with the way the whole concept of cyber risk is “sold in”. So here are a few do’s and dont’s when trying to persuade senior colleagues (or clients) of the importance of cyber security.

Don’t use FUD (Fear, Uncertainty, and Doubt). Telling people that their world is about to end is likely to have one of two results: they may be so frightened that they avoid thinking about the problem at all; or they will get angry with the threat and turn that anger on you as the bearer of bad news. Either way you won’t get anywhere with them.

Do describe some of the some of the things that can go wrong, but explain that these risks can largely be managed and that there is no need to panic if they take the appropriate actions (which you can help them with). Emphasise that there are practical solutions within reach and that, while 100% security can never be attained, there is a lot that can be done to reduce risk to acceptable levels.

Don’t use the cost of cyber attacks as a motivator. For many companies the cost of the average attack is really quite small. The average cost of a major security breach at a large organisation is £1.4 million. Sounds a lot if you are a one-man plumbing band, and it might be a lot compared with your salary or your budget; but it’s nothing if you are a Board Director of a major retailer. (Note the FUD in the headline – what about the cost of minor security breaches, what about small organisations?)

Do talk about business problems and emphasise that  the real damage is likely to be to reputation, staff motivation, compliance failure, and the leakage of strategic information. Oh, and it can cost you quite a bit too.

Don’t make it all sound difficult. If you start using jargon and describing complicated technology then all you will do is convince your colleagues that you should be talking to the IT department and not them.

Do  explain that cyber security is a people problem not a technology problem. It can impact anywhere in an organisation and needs to be managed by the whole organisation and not just the IT department. After all most problems are caused by insiders – accidentally, because people trust too much, because security systems are not usable (and so don’t get used), or simply because people don’t understand the risks.

And finally make it personal. Explain how cyber unsafe behaviour can put their own possessions, and more importantly their own reputations at risks. If they appreciate that they need to act in a cyber safe manner, the chances are that they will accept that their organisation also needs to be cyber secure.

Most of our kids are digitally illiterate!

The vast majority of UK kids today don’t have the IT skills they need. This at least is the view of an IT professor at a leading British University to whom I was talking this week. 90% of the students who join us are functionally IT illiterate, he said.

Is this a surprise? Perhaps, given the amount we hear about the natural facility that Millenials and Digital Natives are supposed to have with computers. But using Facebook on a smartphone isn’t the same as being digitally competent. Far from it.

Searching and researching

So what are these digital life skills that our children are not being taught? My professor friend started with web search. His students, he told me, are incapable of searching online efficiently. And searching efficiently is a skill: it is difficult to formulate searches that are likely to bring up the most relevant results without thinking carefully first and choosing the best search terms. How you search is also important: using phrases, “Boolean” search, advanced search, and the different “Channels” of search engines (web, news, images, shopping etc): basic skills.

Choosing the right results is also important. It is never likely to be sufficient when researching an issue to go straight to Wikipedia and copy out what is there. Unfortunately kids are not told about how Wikis work (anyone can edit them); they are not told to look for authoritative sources and sources that confirm what other people are writing. There is a lot of rubbish published online: and if that rubbish is easy to find then kids will as often as not believe it and repeat it.

Working smart

Ever lost a file because you forgot to save it and your computer froze? Yes? Me too. Not for a while though. Saving files before I start working on them is second nature to me now. And I’ll name my files in such a way that I can find them later. I’ll even create my own filing system, both for documents I am working on and for my emails. It makes life so much easier.

And talking of emails, it’s frightening that around a quarter of time spent by office workers is on managing email. That is a huge waste of resource. And it’s because people aren’t taught how to manage their emails. (Please don’t tell me that emails are dying out: you need them for most shopping sites and they are going to be around in offices for a while yet.) Different accounts for different situations; filing systems; rules for which sort of emails remain in your inbox, which ones are filed and which are automatically deleted; skill in interpreting the headers of emails and deciding which ones to look at; all of these ways of working (and others) make it far easier to manage the mudslide of emails that most office workers suffer from.

Another thing about email it is important to teach: there is no physical context. All you get is words. If I insult you as a joke, you can tell it’s a joke by my expressions and body language. That’s not there with email.

Perhaps the most basic skill for a digital life is touch typing. I’ve never learned I will admit: too old now! (And my fingers suffer from the way I type.) Touch typing (and perhaps texting too) should be a basic skill for all children.

Keeping safe

Why do we let our children put themselves in the way of danger all the time? Keeping safe online is essential. This isn’t just about “stranger danger” and avoiding porn – pretty well taught online. But there are a host of other dangers out there.

Ever taught your kids to recognise phishing emails (perhaps you don’t recognise them yourself) or safe behaviour around clicking on links in emails? Do they know about the dangers they put themselves (and probably you as well) when they download copyright material such as movies illegally?

How well are they able to protect their reputation online? Do they understand the dangers associated with unwise social media posts, sexting, and the like? And what about “trolling” (being unpleasant and threatening to people online, for instance on Twitter or during video games): I don’t mean how to respond to it, but the fact that it is often illegal and can result in jail sentences?

And what about keeping accounts secure? What sort of passwords are your kids using? What sort of password will they use for online banking and other life-crucial applications? And while we are about it, do they understand the dangers of using public wi-fi? Or public computers? Thought not!

What to do?

There is a lot that can go wrong in a digital world. Most of the inconveniences and dangers are relatively easy to manage. But you need to know about them. You need the right education.

Where should this happen? In schools naturally. But after primary school most children are not taught IT skills to any extent Even when they are, the subject isn’t taught adequately: one of my children who is studying for an IT GCSE isn’t being taught programming, or any of the skills I have outlined above. The syllabus is confined to learning MS Office.

Something needs to change in our schools. Otherwise the UK will fall far behind other nations who are better preparing the new generations for life in a digital world.

The Internet of Things and cyber security

Some say it was the refrigerator what done it. Others say it was innocent, and it just happened to be in the same place (well on the same network) as the real culprit. But whether or not the refrigerator was innocent, the Internet of Things (IoT) is still a big cyber security risk.

Disruption

Think of the disruption a dedicated hacker could cause.  Access lighting or heating systems and you could make the office buildings of a competitor uninhabitable. Access security systems and you could look people out of certain rooms, or perhaps in them, if you were really mean.

Denial of service attacks

One potential problem is malicious people using IoT devices such as routers, security cameras, printers, and yes even fridges, to act as “bot nets”, networks of remotely controlled computers, that can be used to launch cyber attacks. (Rather delightfully networks of IoT devices used in this way are sometimes called thingbots.)

Perhaps you won’t mind too much if your security camera is part of a thingbot that wrecks a competitor’s ability to trade online. (But perhaps you should if your negligence can be proved to have caused damage to someone else.)

Attacks on industrial control systems

Physical damage to machinery is another potential disruption risk. The most well known example is the Stuxnet “worm” that managed to damage Iraq’s nuclear centrifuges. The malware was apparently circulated on USB sticks left lying around in convenient places so that the centrifuges, isolated from the wider Web, could be targeted via the means of a careless person using one of the USBs in the wrong place.

Stuxnet wasn’t really an example of an IoT cyber attack because the centrifuges were not connected to the Internet. But it’s not the only time a machine has been damaged by a cyber attack. Late last year massive damage was caused to a German steelworks that suffered a cyber attack. Attackers used scam emails to steal log-in information and then gained access to the steelworks control systems, causing an unscheduled shutdown of a furnace which in turn caused the damage.

Capturing data: network hacking

What else can go wrong? Well, IoT devices massively expand the “attack surface” of organisations. Instead of protecting corporate information networks, IT managers now need to protect all those devices that may be attached in some way to the IT network. Often these devices are not well protected and represent security weak spots where information can be stolen or altered. Hacking into a network via smart lighting systems that are only protected with default passwords is one way (a theoretical account of how this could be done can be found here).

Supply chain weaknesses can cause network risk

People, often trusting, sometimes lazy, are frequently the biggest weakness in any security system. The Internet of Things expands that risk as the employees of companies who provide and service IoT devices are given access to corporate networks. People who are not directly employed are naturally harder to manage and so may be less cyber secure than regular employees. One of the largest hacks in recent times was suffered by US retailer Target who were penetrated via an employee of their air conditioning units supplier. The employee had access to Target’s systems for the purposes of maintaining the air conditioning units. But when his log-in details were hacked via a scam email, the hackers had access to the Target IT network, including files containing millions of customer credit card details, which they stole.

Industrial espionage

That’s not all though. Hack into a printer or scanner and you could have access to documents that are being printed. Start controlling security cameras (as has been done with baby monitors) and you have the potential to spy on companies or perhaps switch the cameras off prior to a burglary. Or plant spyware such as the Dragonfly malware on a system and use it to record and transmit proprietary information.

All in all…

The internet of things is only going to get bigger. As with all digital technology, security will never be perfect. So it is important to evaluate this risk in a measured way and avoid a panicky response. Organisations can protect themselves from the worst of the risk identifying all devices and systems that are connected to the internet, changing default passwords, and favouring suppliers of IoT systems that have a good security record. But the first stage will always be to recognise that the risk exists.