The recent cyber-attacks on major retailers in the UK has shocked members of the public, embarrassed CISOs and wiped large amounts off share values (at the time of writing some £700m had been sliced off the value of Marks & Spencer).
But apart from the National Cyber Security Centre (NCSC) suggesting that such companies (including the Co-op and Harrods) update their systems, and several cyber experts clocking-up valuable promotional airtime, no-one seems to have come up with anything even approaching an “answer”.
Do we need a complete re-think? The Romans had a neat word recogita, literally meaning “I consider or rethink“.
Let’s examine the evidence:
- Verification codes sent to (possibly SIM-swapped) mobiles can no longer be trusted
- Such codes don’t confirm the identity of the recipient
- Passwords are clearly an Achilles’ heel as they can so easily be captured and re-used
- Humans will always be fooled by convincing hackers
- Virtually everything we use as “trusted” credentials can be stolen (biometrics, devices, codes, personal data etc)
- AI further erodes human trust in things like the sound of a colleague’s or loved one’s voice on voice notes, etc.
If anyone disagrees with the above, please speak up now.
Albert Einstein’s well-known definition of madness (doing the same thing over and over again, expecting different results) fits the situation perfectly. Why do we continue to bang our heads against the same brick walls? Should we try a different approach?
Everyone, it seems, knows how important it is to back up data so that within a short period of time “ransomed” systems can be re-set. The Cyber Essentials scheme (almost 11 years old, born June 2014) teaches the importance of firewalls, malware protection and other measures. Especially the importance of education.
The NCSC now seems to think the hackers have cleverly impersonated IT support desks and by this means may have managed to change passwords for some senior figures with access to security systems, allowing them access. This has also prompted the NCSC to advise companies to securely authenticate anyone (especially “high-ups”) requesting password resets.
But many of us still can’t, it seems, even get the terminology right, erroneously referring to the practice of sending 6-digit codes to the device being worked on (typically a phone) as “two-factor” when it isn’t.
Do humans have a problem with new ways of doing things?
While writing this, I had a terrible thought, which framed the question above. Are we, as a species, open to new ideas, or do we resist them with all our might? While researching this question, I came across futurist and key-note speaker Jim Carroll (clients include Disney, World Bank, Mercedes, NASA and many others), who, in one of his LinkedIn posts (“Stop trying to use old solutions on new problems!” | LinkedIn) hit the nail on the head “…here’s the sad truth – you’re part of the problem if you have old solutions! You’re part of the problem if you keep reaching into your kit bag of old solutions!”
Then an even more uncomfortable thought occurred: what if many of the “experts” we’ve come to depend on are not only NOT reaching for new solutions – they’re positively resisting new ones!
We’re trying in our little startup to solve a global online security problem (how do I prove who I am without someone capturing my credentials and re-using them to impersonate me). During our development process, we’ve mentioned our nascent solution to a few digital/cyber cognoscenti and have – despite on the whole huge amounts of interest and enthusiasm – on a couple of occasions been slightly surprised at their resulting lack of keenness. Especially those within large organisations.
What’s that all about? For some, it has to be said, “get it” the first time and react with enthusiasm. But they tend to be in the minority. So, what are the rest thinking? “This is too new for us”? I get that financial institutions tend to be cautious and risk-averse when it comes to introducing new things. But there must be a sweet spot where the graphs of the “old” problems become too large, crossed with the risks of introducing new concepts, which, hey, might just save the day.
All of this indicates that introducing better ways of authenticating individuals is paramount.
