Happy Cyber Security Awareness Month!

What's that? You didn't know that Cyber Security Awareness had a whole month dedicated to it?* You can perhaps be forgiven for the oversight, given that we're into its final week in the 12th year of its existence and I've only just stumbled upon it whilst actively searching for developments in the field of intellectual property and information protection.

I think that its existence tells us a great deal about the state of data protection in the modern era. Reserving October for the recognition of cyber security to the exclusion of many other worthwhile causes is certainly a statement of intent, aligning with the message emerging from the Obama administration this month. “We now live in an era of the Internet… (and) this reliance reminds us of our need to remain aware, alert, and attentive on this new frontier” With this in mind, society is called to arms, “to recognize the importance of cybersecurity and to observe this month with activities, events, and training”.

What Measures have the UK implemented?

The war cry carries across the Atlantic Ocean and through the European Cyber Security Month, a campaign which began in 2012, numerous events have been held encouraging individuals to choose stronger passwords, update software, and act responsibly online. However, whilst the campaign urges individuals to “Stop, Think, Connect”, it seems many in the UK are unable to progress beyond “Stop”, leading to a disconnect between the initiatives of the UK and the rest of Europe. Out of 240 events, the UK only hosts 7, which for a population of 64 million is woefully insufficient. This places the UK behind the likes of Slovenia (8), Norway (9), Luxembourg (9), and Romania (12), whilst the number pales in comparison to the efforts of Austria, who host 43 events across October.

In addition, I was able to find eleven events on Facebook in the month of October held in the UK which were dedicated to cyber security. Of the 1825 people invited to these events, only 298 had clicked attending, a mere 16% of individuals who were deemed potentially interested enough in the subject to warrant an invite.

Are we doing enough?

So the UK populous seems to be supremely confident in the infallibility of its online data reserves, regarding our isle as an impregnable cyber fortress. Yet one only needs to glance at BBC News for the proof that this is a fallacy – Talk Talk have proven that UK businesses are no more resistant to data breaches than any other. And what is more worrying is the allegation from the Institute of Directors that whilst it is only these serious breaches that make headlines, attacks on British businesses “happen constantly”.

The latest figures released by PwC would certainly attest to this assertion and suggest that the UK is resting on a false sense of data security. A study released in June revealed that nine out of 10 large UK firms have been victims of cyber-attacks, whilst earlier this month PwC revealed that executives were reporting a 38% increase in cybersecurity breaches as compared to the prior year’s survey.

The discontent generated surrounding Talk Talks refusal to waive early-exit charges for those wishing to end their contracts hints at the potential cost such breaches can have for British firms. Given that this is the third time Talk Talk have suffered a security breach this year, the issue of breach of contract is certainly prominent in discussions and could cost the firm significantly through legal fees and lost revenue. PwC claims that the average cost of a cybersecurity incident or breach was £1.7m, but the Ashley Maddison leak highlights the fact that the upper limit far exceeds this number. A Canadian class action suit seeking $760 million is already being pursued, with numerous other lawsuits underway in America. In fact, the impact of the breach has been so severe that it has led Professor of Popular Culture at Syracuse University Robert Thompson to suggest that "One couldn't have invented a more efficient scenario for the annihilation of a brand”.

So in a best case scenario, cyber security breaches are costing UK firms and the economy millions of pounds, and in its worst iteration it threatens the existence of the entities themselves, not to mention the personal toll such breaches can take. All of the above makes the failure of the UK to properly enter the spirit of Cyber Security Awareness month more baffling.

Fighting a Losing Battle

A devil’s advocate may suggest that such initiatives are pointless – America has supposedly been taking the matter seriously for over a decade and has suffered more high profile data breaches than anywhere else, with eBay, Sony and a raft of celebrities all suffering the consequences of insufficient data protection mechanisms.

Indeed, the Federal Trade Commission has suggested that data thieves will be more attracted to large data sets, undoubtedly a mainstay in society, with online sales expected to increase by 18.4% this year. Stephen Bonner, a partner in KPMG’s cyber security practice, has gone as far as likening combatting cyber-crime to tackling a Hydra – as the head of one channel of data breach is severed, technological advances will see other methods of hacking taking its place. So perhaps Cyber Security Awareness years, decades or even centuries wouldn’t be sufficient to instil a sufficiently robust data protection practices to prevent data leaks from occurring, and we should accept their occurrence as the new status quo.

How can we Protect Ourselves?

Such pessimism ignores the fact that implementing relatively straightforward protective measures can significantly reduce the risk of becoming the victim of cyber security breaches. The Online Trust Alliance has reported that 90% of data leaks in 2014 could have been avoided by firms simply rethinking their prevention strategies, whilst early indications suggest the Talk Talk breach arose from a simple hacking trick known as an SQL injection which the firm should easily have been able to guard against. Indeed, Converge Technology Specialists, the country’s only dedicated Cloud computing provider for law firms, have suggested 10 simple measures Law Firms can adopt to ensure a reduction in instances of cybercrime. These include implementing Risk Management committees, reviewing IT security positions with a specialist and training staff to be aware of potential threats.

The fact that we anticipate that such simple measures will successfully stem the tide of data breaches the 21st Century has witnessed confirms what we might have guessed from this articles initial allusion to the fact that the average person is unaware of Cyber Security Awareness month; societal failure to take threats to cyber security seriously has prevented the campaign from achieving fundamental change in online practice. What is required, therefore, is a sustained drive which ensures data protection measures keep pace with efforts of hackers, cutting off each new Hydras head before it can develop fangs.

Steps Towards Security

There is arguably hope on this front; the impact that data breaches, such as those of Ashley Madison and Talk Talk, are having on individuals is serving as something of an eye-opener. Not only has the latter breach sparked demands for new regulatory powers to ensure best practice measures are adopted, but the improved societal awareness of the issue may lead to firms voluntarily adopting the practices outlined by Converge, leading to strengthened Cyber-Protection measures country-wide.

It might be that in future years I am able to wish you a Happy Cyber Security Awareness month and know that you truly are happy with the state of your data protection. Until then though, the champagne is on ice.

*It may be that you WERE actually aware of the existence of Cyber Security Awareness Month prior to reading this article. If so, I commend you for remaining alert to a global initiative which slipped under the radar for 100% of the 20 people I asked about it.