Forcing us to educate users on cybersecurity won't work: Telstra

Forcing us to educate users on cybersecurity won't work: Telstra

Summary: Trying to educate users on cybersecurity is like leading a horse to water, according to Telstra, and making such education a legal requirement isn't going to solve the problem.


In a joint select committee on cybersafety (PDF) held on Friday, two Telstra representatives told the committee that laws forcing it to educate users on the perils of the online world would be useless.

Telstra's director of corporate security and investigation and internet trust and safety, Darren Kane said that users currently have enough information about online risks, but that it sees the current education issue as one similar to "taking a horse to water".

"Making it mandatory for us to provide the information would not solve the problem. I think we do that anyway, because we want to ensure they have a greater online experience and keep coming back for more," Kane said, but also clarified that advising users was part of its commercial interests.

"If we were to sell a service or product or network access that did not deliver a good online experience, people would not connect with us. Therefore, it is absolutely in our interests to ensure that all of our customers understand the potential online risks."

But when questioned on whether existing legislation is suitable or whether it needed improvement, the company's representatives admitted that it was not something that came to the fore of its internet trust and safety working group meetings.

"I can say with hand on heart that one issue that does not come up at every meeting is whether we need more regulation or changes to the law in this space. It is not the first order issue that comes to mind when we talk about how we address the issue of cybersafety," said Telstra director of government relations James Shaw.

He also admitted that raising the question of whether legislation is suitable would likely not get a large response from the company's regulatory and legal departments.

Although it isn't legally required to, Sydney University of Technology's Communications Law Centre director, professor Michael Henry Fraser felt that Telstra could be doing more for users, beyond safety and security education.

"I think players like Telstra could do a lot more about providing information at the point of sale and on their bills, and in informing consumers more than they do about the existence of the TIO [telecommunication industry ombudsman] and other agencies. They are naturally commercially focused," Fraser said, but warned that they should not be relied on to solve the problem.

"Educational efforts are in themselves not sufficient to ensure security online. And as we see, nor are the law enforcement efforts where we are trying to trace cybercriminals after the fact to investigate their alleged crimes, and then bring them to justice. We are having limited success with that."

Instead, Fraser called for a more preventative approach to security, proposing that one agency, whether that is a law enforcement one or a new "cyber tsar", take the lead to coordinate all stakeholders.

"That agency needs to bring all the players around the table: All the law enforcement agencies, the hardware companies, the software companies, the ISPs, the consumer groups, and the representatives of vulnerable groups, such as seniors or the young. It needs to bring these actors together to develop interoperable standards and industry codes that will reduce the opportunity for cybercriminals in what is now a very open network which is very vulnerable."

Telstra believes it is already leading the way in that regard, at least from the point of view of de-duplicating the educational message and tailoring it towards different internet users.

"I think our company has got it right. I think we have a centralised point for the emission of cybersafety information, and we recognise that we are servicing a different market and different segments. We target our messaging and tailoring at those segments. I do not see that same approach in some government departments or in other agencies. If we are to work effectively in a taskforce approach, I think there has to be an acceptance of one firm approach," Kane said.

Topics: Telstra, Government, Government AU, Security, Telcos, Australia

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • What can you do?

    I don't know if forcing ISPs into teaching its customer base about security is the right way to go. Can they do more to explain what's out there? Sure. People don't need, and will probably ignore, long-winded technical details, but sending an email with hints and tips would be pretty beneficial.

    But at the end of the day, security is in the hands of the user. It is up to them, to us, to keep our OSes and our virus/malware scanners up to date, to secure our WiFi, to ensure our firewall software/hardware is in place and running.

    There are plenty of resources out there, from the simple to the in-depth. Again, it is up to us to seek these out. And keep in mind, while not everybody out there is waiting to get your information, not everybody out there has your best interests in mind. Be careful.
  • Carefully? What indeed?

    Sending email with tips and hints, if tailored to appear official, if it succeeds in drawing attention and standing out from other mass marketting - will also be read and mimmicked by malfactors. It will train the customer to accept certain styles of tips from email or whatever venue is used. This creates a new method for attack.
    The moment after (or before) it is effective in convincing a small section of public to act towards better self preservation, eg, update software or run security scanner, the look-alikes will be seen as further validation of importance. The ever so lightly altered tip will hint at how to do yourself harm, eg, update software using this "validated safe" site or run a variety of security scanners including "this one." This is not rocket science, it's human nature. How will my email make you trust this, but never trust another exactly like this?

    True example: Update your pluggins and if not very carefull you soon have 2 to 5 new toolbars, browser helpers, scanners, etc which you will never want or use. Maybe not malicious, just annoying and acceptable to many as a side affect of keeping the latest most secure flash/pdf/java/whatever. Yesterday I saw 8 toolbars taking up over half the screen on a tablet, and a few were malicious. The customer believes he never loaded anything except security patches for what the manufacturer PC came with. The problem is it came with so much junk-ware in the first place, who can ever know what it doesn't have when "notified" something needs updated?
    Customers are being constantly retrained to allow offered software to load.
    Randy Kujawski
  • No support

    If Telstra offered support to Linux users and with Firefox's O/S just around to corner on both phones & tablets, then security would not be a major issue.
    The Stav