Neil Costigan, CEO BehavioSec, discusses the impact of consumers’ behaviour on cybersecurity.
We are constantly hearing that consumers are the weak link in security. According to PwC, 50% of the worst breaches within enterprises last year were as a result of inadvertent human error, and the figure is of course far higher for personal online fraud.
Cyber criminals are well aware of the opportunity this security vulnerability presents them with and are becoming smarter at taking advantage of it. According to a report published this month, online scams have rocketed 53% in the last three years, in Britain alone.
The simple response to this appears to be further education for consumers – let them know the risks they face online and encourage them to follow strict online practices. However, this of course has been attempted many times over, with relatively little success.
There are a number of initiatives devised to encourage consumers to take online security more seriously. The UK government’s ‘Get Safe Online’ initiative offers practical advice, including ensuring authentication details are not shared with others, frequently changing log-in details and using strong or complex passwords. In fact, as a society, we feel we have all the education we need regarding online security – 80% of us believe that we can stay safe online, according to Ofcom.
We recently launched a study into the psychology of our online behaviour, to help us to uncover just that. What was abundantly clear was that we would be wrong to assume that our habits online are a sign that we don’t care about our online personal data – 90% of us admit that we would feel ‘upset’ if a stranger gained access to our digital data, including online banking details and social media details.
We identified some of the key online behaviour traits we display on a regular basis: Just 29% of us always choose to log out when given the option to ‘stay logged-in’ online. This was a lot lower among 18- 24 year-olds (9%). Our research also found that some 37% of us have shared our online log-in details with a friend or partner and that 10% have even shared online banking credentials.
The convenience factor
The convenience factor stood out as a key driver of this behaviour.
We choose to complete many of our daily tasks online (whether that’s messaging, shopping, banking, posting photos) precisely because we want the ease, speed and friction-free experience of using a digital device over a paper trail or physical interaction.
Multiple log-ins and authentication hurdles are simply a frustrating barrier to the end goal.
Online behavioural psychologist Nathalie Nahai helped us to explain the psychology behind this behaviour: “Our behaviours don’t always match up with our beliefs, and although we are attached to our online identities and believe that it’s important to protect them, the reality is that the effort can feel too great.
“Every action we take requires cognitive effort, and those that are more complex (such as remembering site-specific passwords) are also more mentally taxing. This is why we often take shortcuts,” she said.
What are the risks?
Our study uncovered just how easy it can be to take advantage of lax security practices.
More than one in 10 of us has taken a peek at our friends’ ‘logged-in’ online accounts, including email, Facebook and WhatsApp – without our friend’s permission.
We even admit to posting content, changing information and messaging contacts, all under the guise of someone else.
This identifies a clear flaw in the security processes involved with a number of our daily digital interactions.
If the legitimate user has confirmed that they are who they say they are at point of log-in, imposters (friendly or otherwise) are able to pretend to be the legitimate user by gaining access during the session.
Time to re-think security
We know full well that sharing passwords is bad practice, but when we’re trying to pay a friend back for dinner, while sitting on a train and simultaneously eating our lunch, our focus on security tends to slip.
Clearly, placing the burden of safeguarding data on the individual isn’t working. It’s time that digital service providers took the reins. If their business models are focused on streamlined, easy access to services, they need to build in security processes that enable this.
Behavioural biometrics is an example of ‘new era’ security, which fits around the reality of how we operate online. Analysing our unique behaviour, including the angle at which we hold our devices, our typing speed and pressure, this technology is able to identify whether the person is who they say they are throughout the duration of the session, not just at point of log-in.
An outsider may have the authentication details of the legitimate user, but the machine learning algorithm is able to use artificial intelligence to identify that the user displays different behaviour – marking them as an imposter.
We choose to take security risks online, in-spite of cyber security education and guidelines, not because there is a lack of it. Digital providers should use our unique online behaviour to their advantage, rather than maintaining the unrealistic expectation that we will each conform to idealistic, uniform behaviour.