Challenging assumptions leads us to look at things from a different perspective. It was a theme that came through loud and clear from stimulating talks at this year’s BH Consulting customer day.

BH Consulting founder and CEO Brian Honan opened proceedings with the greeting “may you live in interesting times”. Popularly – and probably mistakenly – attributed as a Chinese proverb, it’s open to interpretation as a blessing or a curse. It’s an apt phrase for people working in cybersecurity and data protection, who, as Brian joked, “tend not to look on the bright side”.

Drawing on reports from the World Economic Forum, the Verizon Data Breach Investigations Report and Hiscox Insurance, Brian painted a picture of what that dark side looks like. Ransomware and business email compromise are constant threats against many businesses. Supply chain breaches are also becoming more frequent. Common ways of infiltrating victim organisations include social engineering against employees and stolen credentials.

Evolving cybersecurity challenges

At the same time, the regulatory landscape is becoming more complex. Some companies rely on cyber insurance as an extra layer of protection but Brian observed that filling out the forms to get cover has got more onerous as firms demand more evidence that clients are at least taking basic measures to protect themselves. There’s a silver lining to that, however, because “it means the business is paying more attention to security”, Brian pointed out.

Faced with these challenges, Brian said there are five steps to improving security:

• Identify the key assets you have
• Put in place effective risk management
• Develop a breach detection and response plan
• Ensure there are appropriate layers of protection
• Nurture a culture of security awareness.

The last point delivers “the biggest bang for your buck in security”, Brian argued. When employees know how to protect data and are shown how to spot probable scams, it goes a long way to preventing security incidents and stopping confidential or sensitive information from falling into the wrong hands.

Ethics and AI: just a mirage?

Next, Dr Valerie Lyons, Chief Operations Officer with BH Consulting, talked about the “ethics mirage” around artificial intelligence. She pointed out that a lot of the most commonly used AI models are biased towards a US context – but the United States doesn’t have a centralised regulation for protecting data or ensuring the correct use of AI. As such, ethical positions are discretionary, not mandatory.

That’s different to Europe where, for historical reasons, breaches of ethical values often leads to creating legislation. “In Europe, if we adhere to compliance to the EU AI Act – we address transparency fairness and bias etc as compliance requirements. These should never be referred to as ethics in the context of the EU”.

Giving the example of a fictitious company that develops an AI app, she said that the company could publish their AI compliance initiatives within a corporate social responsibility (CSR) report, “branded to look like Ethical-AI”. However, branding compliance as ethics weakens accountability, she argued. “If we’re going to address ethical AI, we have to go beyond compliance.”

She asked the audience to consider whether it’s acceptable to sell a tool that was created using ‘stolen’ data – scraped from the internet without people’s permission to build the AI model? When this has emerged in other cases, the default position seems to be “we can’t undo that”, and Dr Lyons questioned why this type of activity is permitted and why enforcement cannot address this using desist processing orders.

Technology native ≠ cybersecurity literate

Dr Hazel Murray of Munster Technological University has carried out research into security awareness among vulnerable groups to make sure they aren’t more at risk. This work uncovered some surprising results, and the discoveries should resonate with security professionals developing awareness raising programmes. Dr Murray said the findings challenge assumptions about everything from people’s familiarity with using digital technology, to understanding the terms and language, and the advice that’s intended to make them more secure.

Older people are six times more likely to be a victim of scams and they also tend to get scammed six times more than younger age groups. But age alone isn’t the determining factor in a person’s safety online: their level of comfort with technology matters more. Just because someone is digitally literate doesn’t mean they know about cybersecurity, Dr Murray pointed out.

The researchers carried out focus groups with the intended audience and developed the material together with them through an iterative process. The resulting material was tailored guidance for older adults, focusing on how to recognise and avoid scams, stay private online, and manage passwords. The researchers paid attention to language like ‘copy and paste the URL’, because some readers wanted to know what that meant.

One classic piece of cybersecurity advice is not to share passwords with anyone else. But this is context-dependent: older people often have a family member, carer or friend who they trust to keep their password safe, in case they need to access an account or contact a service provider on behalf of the older person. “We had said ‘don’t ever share your password’, but we found that was a blocker,” Dr Murray said.

Counterproductive security advice

Another finding the research uncovered was that enforcing regular password changes is counterproductive. “There’s no need to do that unless it’s been compromised,” she said. When weighing up the security gain compared to changing the password, the work found that “when users are inconvenienced, they find easy workarounds, like Post-It notes.”

Wrapping up the morning, Brian Honan said the key lesson for security professionals is to engage with the people they’re trying to educate. Staying in an “ivory tower”, not listening to the users but instead telling them what they ought to know is not a recipe for a secure community, workforce or population. In the move to digital technology in all aspects of life, it’s more important than ever to leave no-one behind.