Despite a slew of cybersecurity breaches, people still aren’t taking online security seriously

Cybersecurity breaches seem to be a constant part of modern life, with a new high-profile leak or hack happening almost every week. Despite this, however, British people still aren’t taking adequate steps to protect their data, according to findings published by Cyber Security Europe.

In a survey of over 1,000 people living in the UK, almost a quarter – 23% – admitted to regularly using either their name or date of birth as their password in online accounts – an absolute no-no in ensuring a secure account.

Furthermore, 11% – slightly more than one in ten – said that they only use one or two passwords for all their online accounts, meaning that if one were to be breached, hackers could easily gain access to the others.

Even major attacks affecting large percentages of the population don’t seem enough to prompt people to take better cybersecurity precautions, as 76% of people say they never update passwords after a major breach.

British workers are not practices adequate cybersecurity, which is putting businesses at serious risk. Image courtesy of Transport for London

This is particularly bad news for British businesses, which not only have in the past been accused of not doing enough to protect their customers from cybersecurity incidents, but which will be subject to the General Data Protection Regulation (GDPR) from next year, meaning they could be in serious trouble if poor employee practices leave customer data exposed.

Despite this, only 16% of respondents say their workplaces have increased focus on cybersecurity since the WannaCry ransomware attack earlier this year, the most devastating attack to hit UK businesses of late.

In addition, 60% of people said they only used logins and passwords for online security at work, which given how many people use poor passwords, poses a serious security risk for companies.

“A surprising amount of people still seem oblivious to the threat posed to their personal and, in fact, business information by using their name or date of birth as their passwords,” said Bradley Maule-ffinch, director of strategy for Cyber Security Europe.

“Nowadays, this is far from being just a personal issue. We have seen a spate of prolific attacks and breaches this year alone and businesses must ensure that employees are educated about the basics such as password security.

“With the advent of Internet of Things, increasing numbers of people using their own personal devices to connect to business networks which is an ever-growing threat landscape. This could prove a costly vulnerability for organisations in the wake of GDPR.”

Over a third of UK’s critical infrastructure organisations left open to cyber attacks

39% of the organisations that make up the UK’s national critical infrastructure – including police forces, fire services, healthcare organisations and energy suppliers – have not completed the government’s basic cybersecurity standards, leaving them potentially open to attacks.

The revelation, which was the result of a series of Freedom of Information (FOI) requests by cybersecurity provider Corero Network Security to 338 critical infrastructure organisations. Of the 163 that complied with the request, 63 admitted to failing to complete the UK government’s 10 Steps to Cyber Security programme.

Given the potential for damage – and even in some cases, loss of life – that comes with an cyber attack on a police force, hospital or fire service, this raises serious concerns about how prepared the UK’s critical infrastructure is for an attack.

“Cyber attacks against national infrastructure have the potential to inflict significant, real-life disruption and prevent access to critical services that are vital to the functioning of our economy and society,” said Sean Newman, director of product management, Corero. “These findings suggest that many such organisations are not as cyber resilient as they should be, in the face of growing and sophisticated cyber threats.”

A summary of the 10-step guide. Image courtesy of GCHQ. Featured image courtesy of Tim Peake

The UK government’s 10 Steps to Cyber Security programme was developed by GCHQ to provide a simple and clear guide for organisations to follow to ensure they are adequately protecting themselves from cyber attacks.

Originally published in 2012, it is used by two thirds of the FTSE350 – the country’s 350 largest companies – and was re-issued in 2015 alongside an additional document for businesses.

Covering technology and employee management, it includes steps such as user education and awareness, controls for removable media and the establishment of network security.

Many organisations will already follow some of these steps, but others remain under-followed, leaving critical infrastructure exposed.

Healthcare organisations, particularly NHS trusts, are at significant risk, despite already suffering a devastating attack earlier in the year

There have, of course, already been successful attacks on critical infrastructure, with the WannaCry attack crippling NHS systems earlier this year.

However, this does not seem to have resulted in dramatic improvements in security efforts, as 42% of the NHS trusts who responded to the FOI requests had not completed the programme.

As a result, it is likely that we will see more attacks on critical infrastructure providers in the future, potentially putting people and the UK economy at risk.