To my amazement, the latest Eurobarometer survey on Cyber Security across Europe received very little attention in the UK, despite its quite revealing findings.
The report shows in no uncertain terms that, notwithstanding what politicians like Francis Maude MP say, the UK is doing quite poorly in comparison to our neighbours. Much more needs to be done to meet the cyber security standards of countries like Denmark, the Netherlands, France or Germany.
The Eurobarometer findings might come as a shock to ingenuous readers of a recent Cabinet Office report announcing that two years after launching the national strategy, it has resulted in “making the UK one of the most secure places in the world to do business in cyberspace”. This seems to be quite of an overstatement, as the report shows the UK is in fact the worst place in Europe on a number of crucial areas, and there was no sign of improvement in the 12 months since the last survey, even with heavily publicised government investment in cyber security.
A failing strategy
One of the most notable areas in which the UK is trailing its neighbours is identity theft. The barometer reveals that 11% of UK citizens have been a victim of this type of crime, the highest rate in Europe, where the average among member states is just 6%.
UK citizens are also the most likely to suffer the consequences of online banking fraud. Only 3% of Germans experience this crime, while 16% of UK citizens were affected. The EU average here is 7%.
Another sore point is online fraud. A total of 16% of the surveyed UK citizens (again the worst rate in Europe) have experienced fraud of this kind, whereas the EU average is 10%.
The UK also performs badly in email account hacking, given that 19% have fallen prey to it (surprise, surprise, the worst figure again across the 27 European countries), where the EU average is 12%.
These are all quite troubling findings, and make for an unequivocal assessment of a cyber security strategy that is, to put it mildly, not working.
If the record for suffering from a variety of cyber crimes is shamefully high in the UK - compared with countries like Germany, Denmark, the Netherlands or even France - it is certainly not UK citizens to blame.
The barometer shows that 63% of individuals changed their online services password in the past year, placing us in a creditable 4th position in Europe.
UK citizens also have a praiseworthy record for changing their passwords for social media accounts and shopping websites. The survey discovered that 36% had done the former in the past 12 months, and 27% had done the latter. An impressive 60% of UK people said they felt informed about cyber crime, and 48% were concerned about online payments.
Putting the law on the side of the citizen
So why has the UK performed so badly on cyber security? The figures don’t admit any trivial explanation. Its shortcomings can be attributable to a complex combination of multiple factors including poor governmental policies, a lack of access to cyber security education, and weak laws for data processing that favour banks and large companies rather than the rights of individuals.
We have, for example, recently witnessed a worrying increase in the number of cases where banks have not returned customers’ money stolen online. They will conveniently blame them of negligence or fraud. For the banks, which can fall back on their own legal teams, this is the easiest and cheapest solution for addressing the problem of sophisticated attacks against their customers. Clients are left with almost no options to fight this cynical but profitable approach. Only new laws can stop this abuse. Laws to protect customers in these and similar cases would additionally force banks to seriously invest in IT to curb down losses, which, in turn, would improve overall security. If these laws are not introduced, banks will have no motivation at all to invest in extra security, and customers will continue to pay for balance discrepancies. This is clearly an open avenue for abusive behaviour, and we will in all likelihood see more of it in the near future if nothing is done.
We can unquestionably improve security by passing laws that force banks and other private companies to invest more extensively in security products and technology. They could be required to take responsibility for at least some of the losses, or pay more hefty fines in case of a mishap. But these companies are the main beneficiaries of the status quo, so this won’t happen, or not at the needed pace.
So perhaps we should turn to citizens once again. Over the past few years, Massively Open Online Courses have started to offer individuals the chance to improve their understanding of all kinds of subjects. MOOCs aimed at informing people on how to protect themselves online could raise awareness and contribute to even better cyber security practises. In a rare example of wisdom, it seems this is currently being done with NCSP funding and the cooperation of the Open University. It is expected to run for the first time on the summer. Another good governmental initiatives are the development of cyber security modules at GCSE and A-level, of a cyber security Higher Apprenticeship scheme, and some awareness campaigns.
The survey, which involved 1,314 UK citizens, was carried out between May and June last year. Any later and perhaps we might have found quite different results, given the impact of the revelations by Edward Snowden about the extent to which the US government spies on people around the world.
I hope the next Eurobarometer will attract more attention from the media, and will be acknowledged by our politicians. I expect funding in cyber security to become more accountable for in the future, in order to evaluate whether we are making the right investments, and external inputs like the Eurobarometer and others to be taken more seriously.
What I don’t expect anytime soon, for a variety of reasons highlighted before, are better UK results.