How does Ireland fare on the cybersecurity front? It depends on who you ask.
According to the 2017 edition of the UN International Telecommunication Union's Global Cybersecurity index, which measured Ireland against 194 other countries and territories around the world, we ranked 26th, behind Germany and the UK, but ahead of other European countries such as Italy.
We are classed as "maturing" rather than leading, with Estonia, France and Norway leading the European portion of the index.
Where we fall down is in official strategies to help educate the general population, security expert Brian Honan says.
“We are lacking in comprehensive awareness programmes for citizens and companies,” he says. Although there is a national cybersecurity strategy, Honan says there is a lack of government direction and awareness of the topic, with the Garda tasked with cybersecurity suffering from under-resourcing. That puts us behind other European countries, contributing to the 26th place ranking.
But as Honan says, it’s not all doom and gloom. There are things coming that are intended to drag us all into a more secure age online. The introduction of the European Union General Data Protection Regulation has made companies more conscious about what they do with their customers’ data. There is nothing that will focus the mind more than increasing the penalties for misusing or being careless with personal details have been increased. Under the new rules, companies face fines of up to €20 million, or 4 per cent annual global turnover, whichever is higher.
As of September 14th, online sellers in the EU will have to verify that their EU-based customers are who they claim to be. That will happen through the implementation of Strong Customer Authentication, which will add a new layer of verification to the process. When you go to buy something online, your bank will request that you confirm that the transaction is genuine through a passcode or biometric identifier. Transactions that don’t go through this process may be rejected by the bank, although there will be some exemptions, for example with recurring payments for subscription services.
Another act due to come into force soon is the EU cybersecurity act. That will bring certification schemes for products that will make the sellers more responsible for the security of the device. At present, devices have to be certified to certain safety standards to be sold in the EU; the new act will bring the security of devices into the spotlight.
All this – surveys and regulations – mean very little to the average person when they are going online. What we really need to know is what are the main threats and how do we guard against them?
Phishing
You might think that phishing emails are so 2012, but in reality it is still the biggest security threat individuals and companies face. It still accounts for three-quarters of all security breaches because it exploits the weakest link: people.
This is one reason why Ann Johnson, corporate vice-president of Microsoft's cybersecurity solutions group, is keen to ditch passwords in favour of biometrics. It is easier – and cheaper – to scam a password out of an unsuspecting user than to steal their fingerprints. "If we get passwords out, the cost of attack goes up," she says. "That's what you want to do, we want to keep raising the cost of attack."
But biometrics are still facing a lot of mistrust from users, despite an industry push to persuade us to use everything from our fingerprints and face to iris scans in a bid to eliminate the dreaded password from our security. One reason often cited is because while we can easily change our passwords, it’s far more difficult to alter your biometric data. When was the last time you changed your fingerprints, for example?
But as long as we have passwords, phishing will be an inexpensive way to try to gain access. And the scams are getting more sophisticated too. In the past, you could usually pick out the scam emails because they were poorly constructed or worded in a way that made you suspicious; the current breed of phishing emails are a lot more believable. Time to don the cynical hat for almost every interaction you have online.
Reuse and recycle
Speaking of passwords, sometimes we hinder ourselves more than we help.
Cast your mind back to a simpler time, when the extent of your online accounts was a single email address. One password to remember. Fast forward a few years and now everything has an online account. That means a lot more passwords to remember.
The temptation to recycle passwords is strong. Admit it: we’ve all done it. We know it’s wrong, we know it’s bad practice, we know it’s risky. And yet, when faced with choosing yet another unique password that we have to remember for a service, many of us fall back on the same trusty passwords.
But it’s not so trusty. If your online accounts are compromised in any way – a breach at a service provider you’ve signed up to that resulted in login details being stolen – you are at risk of losing access to your email accounts, social media and other online services.
Imagine the scenario: you sign up for your email account and use your favourite password. Then you sign up for a Facebook account and use the same password. Then there are the shopping sites you've signed up for using the same details, because they're so easy to remember. The crux of the matter? If you compromise access to one of the accounts, you put yourself at risk of losing a lot more.
Blackmail and ransomware
Did you get an email threatening to out your online activities to your family – unless you paid the price? If so, you weren’t alone. There were plenty of threatening emails hitting inboxes last year, claiming to have video recordings of whatever you were doing in front of your laptop and a list of contacts they would send it to – unless you paid the ransom in bitcoin. They didn’t have any video, of course, but some people still paid up.
Ransomware hasn't gone away but it is certainly a lot less prevalent. Johnson says Microsoft is still seeing it pop up, but it is usually a tactic to distract the security effort from something happening elsewhere. Still, if your business files have been locked down until you pay up, it's no comfort to think that this isn't what they are really after.
So with all that in mind, what can we do to protect ourselves? While nothing is 100 per cent secure, there are a few steps you can take to cut down on the risk to your personal and financial information when you go online.
Get cynical
“If you are shopping in a strange city, you can make a judgment,” says Honan. “But shopping online from the safety of your office or home, we’re in a safe environment physically but virtually we could be wandering down a dark alley and handing our credit-card info to someone in a trenchcoat. We need be more aware of the dangers.
That applies across the board. Take nothing at face value. Don’t click unsolicited links that arrive in your inbox, even if they seem like they are from a trusted source. If an email asks you reset passwords for a site, go directly to the site rather than trusting the link within the email. And if something pops up on your laptop claiming your machine is filled with viruses you can clean out for the bargain price of €30, don’t hand over your credit card details. Ditto for ads on Facebook promising subscription services you’ve never heard of, or ads offering €500 vouchers just for handing over your name and a few personal details. If it seems too good to be true, the chances are that it is.
Encrypt mobile devices
Your smartphone has a lot of information on you. Think about all the things you do on it – banking, shopping, maybe some payments. So it makes sense to protect that data as much as possible.
Honan recommends encrypting your smartphone to prevent access to the data contained on it. On Android that means choosing to encrypt the device in your settings, and once you do it you can’t go back.
There are drawbacks though, as it may slow down access to your information, particularly if your device is older.
When you set a passcode for your iPhone, it encrypts the data At the very least, pick a password that is not easy to guess (that rules out 6666) and generally the more options you have, the longer it will take someone to break it. For example, a four-digit passcode has about 10,000 combinations. If you take that to six digits, there are more than a million possibilities. To make it even tougher, you can mix in some letters.
One thing to remember: if you back up your iPhone to your computer through the current version of the iTunes software, the backups aren’t encrypted by default. That means if someone gets hold of your laptop and breaks the presumably strong password you’ve set on that, they could gain access to your phone backups. However, you can tick a box to encrypt the backups, keeping them safe from prying eyes by requiring a password before you can do anything with the information.
Lock down social media
Do you know how much personal information you give away through social media? Checking in on Facebook regularly can give away a pattern to your movements at best and at worst could provide scammers with information that could give them access to your online accounts. A trip home documented online could give away your place of birth; happy birthday posts on Facebook can reveal your date of birth. A post dedicated to your parents on their wedding anniversary could provide a scammer with their names – and that’s before we get to the “fun” quizzes that will reveal the answers to a lot of common security questions in the guise of telling you what your fictional alter ego should be called. Think twice before you click that “accept” button.
Updates
Software updates can be inconvenient and annoying, and occasionally can result in problems with your devices. But despite all that, there are good reasons to install them soon after they are made available. If there is a bug or vulnerability in the software, there could be people out there looking to exploit it and the longer you leave your system unpatched, the bigger the risk to your information stored on that device. Like many things in life, it may never happen, but why take the risk? Get it patched as soon as possible.
Up your security
If you are firm on not using biometrics, there are steps you can take to further secure your accounts. For example, if your service providers offer two-factor authentication, use it. Google, Amazon, Apple and others all offer increased security by asking you to use either a one-time code or another device you own to authenticate access to your online accounts. Without that second layer of security, the password is useless.