Cybercrime is relentlessly on the rise. Thirty percent of citizens say they’ve been victims and 79% are concerned about it. It’s clear that we need to find new ways to safeguard ourselves, as individuals, businesses and societies. The current approach tends to rely on individual organisations protecting themselves. But that’s unsustainable: there will never be enough security talent to go round.
Today, larger organisations can afford to employ their own security teams. But even the best of these won’t stop a determined hacker. For example, some ethical hackers have never failed to break into an organisation. In other cases, organisations haven’t implemented even the most basic protection, leaving themselves open to hacks that anyone can buy online for a few dollars. Realistically, smaller organisations will never have enough resources to implement the stringent controls needed to protect against all threats.
An expanding digital ecosystem is making the problem even more acute. Approaches that promote experimentation and speed are fundamental to digital development, but these sometimes come at the expense of safety. As we move towards systems that directly impact our daily lives we will need to consider additional strategies – especially for technologies like the IoT and robotics – that could cause direct harm.
Many industries operate with a mature set of legislation, policies, guidelines and practices that protect people from harm. Like the systems that control our trains and planes, these have evolved over time. New practices that protect against vulnerabilities were learned from past mistakes.
Some governments are now starting to adopt strategies that aim to protect society from digital threats. That’s the good news. The bad news? Many of these strategies have positive intentions, but their implications have not been adequately considered.
For example, the Australian government introduced legislation that would allow it to decrypt messages between criminal and terrorism cells. While that’s a laudable aim, its implementation is essentially impossible. Major commercial entities’ inherently private messaging systems would struggle to comply. What’s more, criminals could simply move to one of the many unregulated messaging systems hosted outside Australia.
Meanwhile, to protect children from pornographic material, the UK government legislated to enforce identity checks on access to pornography sites. Here again the intent is positive, but the implementation means that adults need to provide their identity details to those sites, with the risk of their information been exposed through hacking.
So how should we move forward? I see two essential strategies for protecting ourselves from harm.
- First, we must strengthen our use of security services – taking advantage of security specialist services rather than trying to implement security internally.
- Second, we must create stronger controls to implement security practices consistently across the industry.
Using sophisticated security services provides a high degree of confidence that systems are protected. While not guaranteeing that an organisation will never be hacked, it does considerably reduce risks.
Government has a special role to play in defining policy and legislation that will drive the standards and practices needed to increase our safety. And like other industries have done, we need the IT industry to implement standards and practices to increase our protection. Investing in creating these frameworks is essential to avoid digital crime threatening our society and lives.
But how will national controls manage the balance between protection and privacy? We must improve citizens’ and businesses’ safety – but we also need to protect citizens’ rights and privacy. It’s a tricky balancing act. We need to recognise the need for both and develop governance that improves our protection and maintains our privacy.
I’d be interested in hearing your views, leave a comment below.
 Accenture Public Service Pulse Survey 2016