For several years security team numbers in organisations have grown along with budgets and the tools available for protecting large enterprises. Yet there have been an ever increasing and largest number of data breaches over the same period every year. This contrasts greatly to the home environment, where there has been little to no new skills or knowledge development to protect the home, no increase in security spend and very little innovation in tools available to protect home users.
With such a vast difference in the two environments, what can we assume about the home environment on the basis that security professionals already believing that there are two types of businesses, there are "those that know that they have been breached and those that don't." That thinking would most definitely mean that most home environments are already breached!
If this is the case why isn't something being done about it and why is it not happening quickly enough and why don't security professionals know about it?
Humans have become more technology lead than ever before!
The world has changed, everything is becoming digital and is marketed as being ""Smart"", yet with every ""Smart"" device the attack surface of an individual, their family, friends, and homes grow at a faster rate than any other time in history.
Despite the attack surface of individuals growing at unprecedented rates, individual skill levels to deal with the risk have in theory stayed the same but in practical terms have been reduced in proportion to the attack surface. If the two things continue to diverge from one another without any direct action to change this, the chances are that in a few years individuals will not be able to use technology without a successful attack on them through one or more of the devices or technologies they use. We believe that direct action needs to be taken and that it should be action that everyone get involved with both in terms of improving their digital safety skills and in facilitating the skills.
Here is a non-exhaustive list of the reasons we believe that action needs to be taken now.
- Over the last 10-15 years we have seen data breaches where the theft of a single user password has compromised other accounts and services used by end users.
- Despite the level of end user education spending, organisations have still not raised the bar high enough to reduce criminal success of low level attacks.
- Current approaches to end user training don't seem to be making a dent on community level behavioural changes (i.e. those outside of the work environment).
- Service suppliers have sought to set up services to encourage an increase in the disclosure and sharing of data to them. Since the valuations of some of these enterprises has risen sharply, many new businesses are looking to collect user data without understanding why and how to secure it.
- While devices and services have become more complex and sophisticated, the level of technical expertise has remained low, or reduced, with the incorrect assumption that devices must be secure and private, as the government not would allow vendors to sell insecure products.
- Some service providers have deliberately confused users with what security, privacy and surveillance is and what each of these actually means to them.
- Some service providers have been complicit in producing data breach fatigue in end users with their responses to data breaches.
- The number of applications and services loaded on current devices has continued to grow from basic personal services to remote home surveillance and beyond. These open up end users to greater harm if their devices, applications and services are not secured.
- Further, the total number of home devices may increase in Â numbers similar to a small to medium sized business, which again may provide criminals with even greater opportunities. The instructions provided by device suppliers to enable non-technical users to secure a device, and to maintain privacy is usually little to non-existent.
- Service providers of the above mentioned services develop services with security as an afterthought, and with the aim of adding it in retrospectively once the service is successful, rather than 'secure by design and default'.
- Application developers, authors and publishers are still not being trained in secure coding practices and hence most applications are written with multiple vulnerabilities and bugs in the finished product.
- The response by security professionals during Cyber Security Awareness Month, has previously been for security professionals to talk about the issues at events around the world amongst themselves where there are only a few or no end users, thus not making any difference to those who need to be educated.
- The response by governments and the public sector has been to let the private sector and businesses fund the education of end users, backed by very reserved promotional campaigns to affect users.
- The culmination of end user training in the enterprise has made little or no impact on the overall low bar of user awareness, as exampled by many facts including that we are still talking about password practices after many years of talking about them.
- Providers of end user awareness training should have moved beyond the basic training they have provided for many years, yet they haven't done so because the results of past training have still not impacted a big enough sections of end users.
What is Security2Live?
Security2Live is a joint initiative with three Founding Partners working with Virtually Informed to work with leaders around the world "to raise the skill level in the Digital Safety Skills of ordinary people so that they are less of an easy target for criminals and service suppliers wanting to take and use personal data for their benefits regardless of the "individual".
What does Security2Live wants to achieve?
The Founding Partners have created their Founding Principles to state their thinking on what they would like to achieve on Digital Safety Skills, which are available here. Very simply, Security2Live wants to â€˜raise the bar of security education of all people so that criminals will not be able to utilise the low level attacks they have successfully used for years. We want to raise the bar on a yearly basis, and along the way to create a barometer of the general level of skills in each country. This level can be used by enterprises to guide the skill level they want to achieve.
What we want to help people to be able to do?
Security2Live wants to firstly, achieve a raise in the Digital Safety Skill level of individuals and secondly, to encourage and assists them to have conversations and share their learning with others; because we believe that real change won't come from enterprise awareness training courses but people having conversations with other people their know using the language and words that are most familiar to them and their peers.
We are doing this because:
- technology facilitated crime has been growing fast - we want to significantly reduce its success;
- technology product vendors have not used 'secure by design and default' principles for their products, and left their products open and vulnerable for criminals to exploit - we want to educate consumers to be more demanding and selective in their purchasing choices;
- many years of investment in awareness programmes have not significantly changed either people's behaviour or their digital safety skills - we want to facilitate a consistent raising of their digital safety skill level;
- over the last 20 years digital safety skills of individual have at best stayed the same or at worse been reduced - we want to reduce digital safety skills poverty so that people can protect themselves, their family, friends, homes and the technology they use.
How will Security2Live achieve its aims
Security2Live will achieve it aims by:
- Providing easy to use content for non-technical people;
- Providing guidance on how to discuss, share and assist others in raising their digital safety skills;
- Providing guidance for community groups to discuss and share digital safety skills with their communities;
- Facilitating or undertaking research into how digital safety skills can be shared more easily;
- Facilitate or undertake research on metrics for monitoring society's digital safety skill levels;
- Facilitating or undertaking research on approaches to technology configuration that is simple to administer for all digital safety skills levels;
- Working with industry leaders who share our aims to participate in up-skilling people, (including providers of: content, digital safety tools and sharing networks);
- Working with enterprises to raise digital safety skills of their employees, families and friends, so that they can benefit from this initiative in raising the digital safety skills level, so that in-house programmes can move up from providing training that hasn't impacted individual behaviour for years.
What we will provide?
Security2Live will provide a collection of selected, fit for purpose re-usable resources for use by anyone who wants to raise their Digital Safety Skills by learning about security and privacy, and to be able to help others to do the same.
A range of resources for individuals, families and friends to have more intelligent discussions about security and privacy risks with others, and to take actions to protect themselves from those risks.
The resources we provide may also be used by employers to promote good practices by their employees in their home environments.
We are working on the principle that "a rising tide raises all ships" and that raising the current low bar which exists for people has facilitated the success of criminal activity can only be raised by a conscious effort by everyone in society.
We also hope to provide online and live training webinars and events with expert speakers and lots of useful free tips, tricks and tools.
There are many ways that everyone can get involved, it depends on who you are and what your interest is, including the following:
- Participate in one of our online or face to face training sessions.
- Participate in a face to face training session run by one of our authorised training supporters.
- Attend one of our webinars.
- Promote any of our activities to your audience.
- Become a Digital Safety Skills Champion and promote digital safety skills.
- Become an Enterprise Supporter by providing and promoting digital safety skills to your workforce.
- Become a Community Supporter by using our resources to educate your local community.
- Become a Content Contributing Supporter by providing quality resources which can be used to for digital safety skills.
- Become a Tools & Resources Contributing Supporter by providing free or discounted tools and resources which improve peoples digital safety.
- Become a Research Partner to research into what affects digital safety skills.
We will be updating the above information to make it easy for individuals, organisations and employers to participate soon. If there are other ways that you would like to help us, please use the Contact Us page to get in touch with us and we will get back to you.
We will soon be publishing a list of activities provided by our supporters.
Help us to provide resources to improve digital safety skills here
Help us in other ways to support to make a difference here.
What Security2Live will Provide
The Security2Live Initiative will provide resources to raise the skill level of end users by providing resources that enable two key objectives:
Inform the reader on the topic (the width and breath of coverage), why it is a challenge, what are the risks, how the risks can be dealt with by changing behaviours, how the risks can be dealt with by technology solutions and finally how to respond if there has been a compromise.
Inform the reader on how they can share the information and what they have learnt, on a one to one, small groups and larger community groups.
These objectives will be achieved by providing a range of resources, including:
- Static text content;
- Video content;
- Online discussions;
The Founding Principles of Security2Live
Every week the media and analysts release details of data breaches and data breach reports telling the world that people are the problem. Whether it is passwords, or phishing, the security industry is pointing the finger at those who don't know how to deal with the issues. We believe that the responsibility lays clearly with those who have pushed compliance based awareness exercises for many years.
These founding principles were produced to help guide the Security2Live Founding Partners to work on a better approach that will bring about real changes for those who really matter â€“ the people.
1 Everyone has the right to basic Digital Safety Skills, resources and support
Existing efforts to assist people have focused on raising security threat awareness to urge users towards more secure behaviour. Security2Live is a fundamentally different initiative aimed at providing people with the digital safety skills and tools needed to respond to threats with the knowledge that simple acts can be effective.
Digital safety skills must be accessible to everyone regardless of employment status and current skill level. The skill level required by people to protect their security and privacy may change from one year to the next not only due to cyber criminals having to target a more skilled population, but also because commonly used technologies change. Raising digital safety skills must not be seen as a once or twice a year effort, it is a continuous journey that may require less effort over time. This initiative will promote digital safety skills throughout the year as well as leveraging selected awareness events.
Access to these skills should start when people are given access to digital technologies. Access must extend to support, particularly for people who either haven't or are unable to benefit from these skills and resources. To this end we believe everyone should have access to at least one person they can speak to for digital safety related help and support.
2 Raising digital safety skills is a collective responsibility
Every organisation or person who wants to join us in raising digital safety skills will be welcomed to do so. Current efforts have been seen to be the domain of a few organisation working individually and have not provided strategic leadership in raising skill levels. No single commercial organisation should claim to have a monopoly on this.
The Initiative will create and nurture several participation and support activities for individuals and organisations to get involved - to ensure that it is inclusive. Security2Live is not setting out to compete with existing activities, it aims to bring them together to achieve more strategic and effective results.
3 Digital Safety Skills should impact cyber crime across the world
Digital safety skills have mainly been delivered by IT Departments where the focus has been on compliance rather than personal outcome. We believe people need the digital safety skills that have a direct impact on reducing opportunities for them to be directly impacted by cyber crime. This initiative aims to raise the digital safety skill levels and force significant increases in the cost of carrying out attacks by criminals to the point of making such attacks unfeasible â€“ rather than allowing them to use the same low level attacks that have worked for years.
Just as cyber crime is an international issue, protecting individuals from cyber crime must also be considered an international issue and protection responses may require an international dimension.
4 People's non-work life should be the focus of their digital safety skills
Most people spend more time using technology and devices at home and while they are out and about than they do at work. Many people only consider digital safety skills relevant once they have been compromised or suffered a loss; which in today's world is more likely to happen outside of the work environment. Yet the only education people get is within a work environment where the focus is on compliance.
With Smart Homes and other smart environments a reality, people need to learn how to secure their homes, devices, apps and other digital and physical assets from both physical and cyber attacks. This can best be done where the focus of digital safety skills is on them and their needs for digital living, and the skills learnt are transferred back to the work environment. We base our thinking on the saying that "A rising tide raises all ships", unlike most awareness initiatives which have attempted to raise individual ships not the tide.
5 The digital safety skills offered should enable learners to share their learning with others
The key digital safety skills to focus on are:
- People's behaviours that affect their security and privacy;
- Technologies, tools and processes that can help protect individuals' security and privacy;
- What to do when something goes wrong;
- Becoming a more security and privacy conscious consumer of tech products and services;
- How people can share what they have learnt with others;
- How to support others.
Our approach for the first three skill groups is to provide support and educate on effective human risk protection. The knock on effects of ordinary people raising their digital safety skills should impact security and privacy in the work place, but also empower people to be in control of the technology and services they use, access and own.
Our approach for the remaining three skill groups is to create a network of champions and supporter across the world. The knock on effects of these skills and related activities is to increase the total network of people in the world who are able to respond quickly when things go wrong.
6 Resources should be inclusive to meet the needs of all levels of skills
The following groups of resources will be developed:
- Resources which support founding principle 2 for online and face to face learning;
- Resources for community leaders who wish to support their own community with digital safety skills.
Existing resources from the digital safety skills communities are welcomed, and where relevant these will be adapted to ensure a consistent house style with appropriate acknowledgements provided.
7 Product and service vendors must play their role in reducing cyber crime
Product and service providers have been responsible for many of the issues and problems that people encounter today. We believe that suppliers should ensure their products and services are not vulnerable to known attacks and that consumers should be able to assume a certain level of security that they don't need to know the details of. Further, that any setting and configuration options provided should be "human risk protection" centric not "vendor data collection" centric. We will participate with others in the creation of standardised digital safety configuration options for relevant technologies and services.
8 Lead research into digital safety skills and human risk protection
Quality research is the way forward to change years of breaches and a growing attack surface of individual users. We will lead research into the following:
- How to provide effective human risk protection for end users
- How to measure and monitor a country's digital safety skills level from one year to the next;
- How to measure and monitor the next level of digital safety skills required when criminals are no longer able to use the existing low level attacks;
- Digital safety settings / configuration interfaces that work best for non-technical people;
- How can digital safety functionality be raised in the buying criteria of consumers;
- What events / information leads to action and what doesn't work for different types of people;
- What events / information makes people talk about digital safety skills issues;
- What events / information make people share information about digital safety;
- What events / information about digital safety leads to changes in attitudes and behaviour;
- What events / information do people need to purchase products and services based on digital safety;
- How can elements of Fear, Uncertainty and Doubt be used appropriately to change digital safety behaviour and decisions.
We will work on these research ideas with partners who have specialist experience in such research. Further we want to highlight and share any existing research into the above and any related areas to anyone who has an interest in this field.
We acknowledge that these founding principles may need to be extended in the future and that they are by no means a limited list. These and any future extended principles are to be agreed to by any supporting organisation to be involved or benefit from the work of Security2Live.
Sarb Sembhi CTO and CISO is the Founder of Security2Live and identified like-minded professionals and organisations to work with him to up skill the world.
Below is an alphabetical list of the Founding Partners working together to bring the principles of the Security2Live initiative into reality. Once the basic foundations have been laid, the Founding Partners will open invitations to supporters to who agree with our Principles to radically change the future of Digital Safety Skills, to join them.
Layer 8 minimises the risk to businesses by developing proactive security behaviours in employees. Working with international business such as Openreach, National Grid, IG and GKN we've developed:
- Security Champions Programmes
- Online materials delivered via our Layer 8 Toolkit ® Apps
- Surveys to measure security culture maturity
- Interactive workshops
The success of our programmes have been achieved by putting conversation back into security awareness/training. Conversations are our catalyst for change. Working with Layer 8 will provide a framework to get people talking about security and therefore achieving change at the grassroots, where it matters. Click the logo to learn more about Layer8 Limited.
OutThink brings world's first human risk protection platform. An innovative, disruptive solution, OutThink redefines security awareness. The OutThink cloud platform has been developed specifically to automate the identification and measurement of human risk. OutThink was purpose-built by CISOs and researchers from UCL and Royal Holloway, for security professionals who are looking to provide effective human risk protection for their organisations.
Headquartered in the City of London with development in UK, Greece and Romania, we have a global client base all of whom are served locally from offices located in Europe, Middle East and Asia Pacific. Click the logo to learn more about OutThink.
Urban IQ is a management consultancy company largely working across the public sector. It has successfully managed and delivered many complex partnership projects and will provide project support for Security2Live. Urban IQ's background will also provide intelligence for Security2live to expand its provision of cyber security information and training to the public sector. Click the logo to learn more about Urban IQ.
Virtually Informed is a media company providing online Security and Privacy courses for non-IT people. It aims to democratise personal technology skills enabling people to take back control of their digital assets and devices and become the chief technology officer and chief security office of their lives, their homes and be a willing assistance to their families and friends. This site is being hosted by Virtually Informed.
Supporters of Security2Live agree with the Founding Principles and help promote them through their networks. We have a growing number of supporters across the world actively working in fields related to people's Digital Safety Skills.
If you would like to become a support please get in touch with us using the "Contact Us" page.
"Sutcliffe & Co Insurance Brokers welcomes the launch of Security2Live which fills a much needed gap and will help educate & protect people from many cyber security risks."
Duncan Sutcliffe, Sutcliffe & Co Insurance Brokers.
"Security2Live is an excellent initiative and very much needed. IASME is keen to support the work of this project and we encourage everyone in the cyber security industry and community to get involved."
Emma Philpott, CEO, IASME Consortium.
Please note, if you have communicated your desire to become a Security2Live Supporter and do not see your details listed above, it may be because we have not yet completed our verification process for listing - please be patient with us, we will resolve this soon.