The Blog

Online Security - Whose Responsibility?

Whose responsibility is it to ensure that we stay safe online? Government? Businesses? Security vendors? You and me? I believe that it's a shared responsibility.

Since the early days, malware has been conditioned by the way we use technology. Until the turn of the century, this meant a threat landscape dominated by cyber-vandalism. Viruses might overwrite huge chunks of data, or slowly corrupt data, or display a message on the screen, or just spread - with no payload at all. Don't misunderstand me. I'm not suggesting that the problem was trivial. Individuals or businesses on the receiving end of an infection could suffer significant losses. But there was no way for malware writers to make money from what they did.

It was only the mass use of the Internet, and the use of the web for financial transactions, that malware-for-profit became feasible. This led to a threat landscape dominated by cybercrime. For the last decade this has mainly involved random, speculative attacks on unwary individuals, designed to steal the victim's online identity and get access to their money. But things are changing.

Not only do we *use* the web, but nearly every aspect of our lives is *dependent* on it. Most of us routinely bank, shop and socialise online. Children don't reach for their library ticket to do their homework - they reach for the mouse. And the Internet has become the life-blood of organisations of all kinds - commercial, charitable, governmental. This dependence has once more brought about a shift in the nature of malware. Most of it (around 90 per cent) - is still made up of random attacks - banking Trojans, password stealers, keyloggers, etc. But in the last few years we've seen the development of malware for use in targeted attacks, aimed at a small number of organisations, or even a single company. The result is a 'mixed economy' of petty theft, major scams, political and social protest, cyber-espionage and attacks on specific companies or plants.

So whose responsibility is it to ensure that we stay safe online? Government? Businesses? Security vendors? You and me? I believe that it's a shared responsibility. It's not unlike road safety. We have a right to expect roads to be well-designed and well-maintained. We expect clear road signs. We expect car manufacturers to implement safety features in vehicles. But we also have a responsibility as drivers to take care on the road.

As consumers, we have a right to expect that online providers will secure their systems, so that nobody is able to break in and steal our personal data.

I think government has a fourfold duty. First, to make sure that there's a legislative framework that enables law enforcement agencies to prosecute cybercriminals. Second, to ensure that law enforcement bodies have the resources, knowledge and skills to deal with the problem effectively. Third, to ensure that systems under its direct control are secure. Fourth, to raise awareness of the risks we face when we go online and to highlight the things we can all do to minimise our exposure to cybercrime.

Security vendors have a responsibility to develop products that offer optimal protection to their customers.

We also all have a responsibility to make sure that we're informed about the threat, to take the necessary steps to reduce the risk of us becoming a victim of cybercrime and to ensure that our children understand the dangers - from malware, from over-sharing personal information online and from those who might want to do them harm.