Filled with malware, phishing and scams, does the web need a safety manual?

Web users are still making the same mistakes over and over again. How do we make it safer online?
Written by Danny Palmer, Senior Writer

It's estimated that cybercrime drains $600bn a year from the global economy, equivalent to almost one percent of global GDP.

In many cases of hacking and cyber crime, an innocent victim plays an unwitting role. It could be clicking a phishing link and unintentionally installing malicious software, it could be because they use the same weak passwords across multiple accounts: whatever the case, it's common for people to accidentally become part of the cyber crime supply chain.

"You could argue that 80 percent of cyber crime can be prevented. That's a stat the government is using and I was using it in the police and it's still apparent today," says Jake Moore an ex-cyber crime investigator, now at security company ESET. "Eighty percent is still the weak link of the human firewall."

Most people are learning as they go along, because when it comes to how to use the internet, there's no instruction manual on what to do -- that's leading to people making mistakes that could easily be avoided.

"On a box of paracetamol you get all the risks on the back -- and if you really want to go for it, you can read the leaflet inside. You don't get that on the internet," says Moore. "A smartphone and a tablet, do people read about security risks? It'll tell you not to chuck it in the bath, but it won't tell you about security."

It's partly because of this why people can still be so easily led down the wrong path on the internet and tricked into thinking fake emails are really a legitimate representative of a company.

"It's hard to verify. How do you know if that's a real account if you're an average person online? There's no regulations in place, there's no universal trust system or verification system for someone to know. This is an area that a lot of hackers are exploiting," says BJ Jenkins, CEO of Barracuda Networks.

SEE: 17 tips for protecting Windows computers and Macs from ransomware (free PDF)

Essentially, despite being so heavily ingrained into our lives, there are many areas of the internet that are still a Wild West -- Internet of Things devices have been rushed out into homes and workplaces, but in many cases, security has barely been thought about during the manufacturing process, leaving vulnerabilities that can allow access to whole networks.

There's now coordinated efforts to ensure these devices are secure by design, but the security industry is playing catch up, as in many cases, these products will have been installed -- and potentially forgotten about.

But would the public take heed of the warnings or even listen to them in the first place? The last twelve months has seen an almost constant steam of data breaches and scandals about online data being misused, but nothing much has changed. Only the most savvy web users are aware of the need to lock down their accounts or use security-enhancing technologies like two-factor authentication.

"Not too many people thought too much about having their information on Facebook. You think you're just sharing things with your friends -- why would that ever be abused? It's one of those situations where until it's pointed out to you, how you can be exploited, many people just don't see it, they don't have visibility to it," says Jenkins.

Users can't be expected to overcome naivety about privacy and security on the internet alone -- which means that someone or something needs to step in to help provide aid. That could be organisations like social media firms themselves, but that concept is ultimately contrary to how they do business.

"Social media and other online providers have definitely started taking steps to give people more control over their privacy and to review how cookies are collected and used. However, this normally involves the user 'turning off' services, rather than 'turning them on' -- for example, turning off their public profile," says Sarah Armstrong-Smith, head of continuity and resilience at Fujitsu.

"However, this does not create trust and it is not sufficiently secure -- after all, how many people now just click 'OK' when an annoying cookie pop-up appears on a webpage?" she continues, adding: "This is why the principle of privacy-by-design is so important. Privacy settings and security controls on public sites should be enabled by default."
But that's only scratching the surface when it comes to helping people keep their data secure. Jenkins argues that social networks and other sites could -- and should -- notify users when their information is public and provide them with an easy way of making it private.

"If you're really serious about it, you'd be designing communications for people who have public accounts, who haven't made it private, reminding them on a constant basis that this information is exposed and how abused public information can be," says Jenkins.

SEE: Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic cover story) | download the PDF version

But given how data is so important to the business models of social networks, it's unlikely that they'll want to restrict what information users share or how they share it. Even worse, while big-data breaches and privacy scandals might briefly raise awareness about online security, we quickly forget.

Somewhere, education needs to be provided on spotting risks on the internet -- and it could go a long way towards keeping users, and their employers, safe from the majority of cyberattacks. For Armstrong-Smith, this should start in schools.

"Often children have access to social media at a young age. Teaching children about their digital footprint, what to share and how to ask for help without fear, is key. This includes what information they may innocently share about their families, for example, 'where does mummy work' or 'what is your dog's name'," she says.

Then those lessons need to be regularly repeated, all the way through people's corporate lives -- solid messaging and education is required, not just warnings about clicking on links or doing an online course once a year. Cybersecurity needs to be key to everything a company does -- and that starts with employees at all levels.

"Put simply, security and privacy must be at the core of the board's risk agenda," Armstrong-Smith adds.

Ultimately, users need to be made aware of the threats that are out there -- and how those behind the threats are looking to potentially manipulate them into doing their bidding. Improving our attitude towards risk online might take time, but it shouldn't be impossible. 


Editorial standards