Lack of Awareness – a big security risk and a matter of communication

While planning and preparing for PrimeKey Tech Days 2018 I’m browsing through the evaluations from our event last year. Back then, we asked about what our attendees thought would be the biggest risk in IT-Security in the future and I must say that the answers here are really interesting.

We’re asking highly skilled “techies” and I was expecting them to say something about advanced hacking, some weak algorithms or other things that can be solved with better technology, but that wasn’t what we got. Of course, quantum computers came up a lot but what really stood out for me was the risks connected to the general lack of security awareness and skill. Let’s divide their fears in to three levels:

1. The public don’t know

The general public don’t know about IT-security, how to use it or even know to ask for it. We buy smart devices to simplify life, but we don’t know the security risks they entail. Convenience and cost are important and purchasing decisions are in many cases made without regarding security. As we don’t know about the risks, we’re not willing to pay anything extra for security. Yes sure, if one device says it’s secure and you don’t have to pay anything extra for it you might choose that one over one other - as long as no other functionality is missing. Convenience goes before security. These risks affect people in their private life but also in their professional life. Professional hackers can breach homes and offices using something as simple as a connected power outlet. Decision making can be influenced by maleficent forces, tricking people to act in ways that don’t benefit them personally or that has a negative impact on their own company. It’s not just techies from PrimeKey Tech Days who have this fear but many countries and government report about attempts to affect public elections by secretly influencing the public.

2. The companies don’t know

We’re all talking about it – new industries and devices get connected without us being fully aware of the risks. And why would they? Why would someone who’s manufactured laundry machines for decades know anything about advanced crypto? Or even know that they should look in to it? Some attacks have caused a lot of media attention and we’re slowly getting the word about the need to really think about security out there, but we still have a long way to go. A common fear from the PrimeKey Tech Day audience is that those who do know a bit about security often underestimate the impact an attack can have, either on their own company or on their end users. Many also lack the skill of properly estimating their own vulnerability. Not knowing, they don’t educate their staff enough, leading to even higher risks as data and communication gets poorly managed.

3. The management don’t know

Unfortunately, not even the companies with skilled IT Security staff who’s attending PrimeKey Tech Days are safe from the risks of unawareness. Many reported that when their management underestimate the risks connected to IT, they’re not given the possibilities to take proper action. Shortage of resources, either monetary or time wise, is often a reason for lacking security. If you’ve just installed an expensive security initiative, management can be hesitant to invest even more in keeping the solution up to date with changing standards and a fast-moving environment. Management and tech too often don’t speak the same language and it can be difficult for technical people to raise concerns in a way that management clearly understands.

What to do?

So what can we do about this? As Scott Rea from DarkMatter said at PrimeKey Tech Days last year: technology is not your panacea. I believe a big part of the solution is to become better at communication. It is up to us who know about the risks, and who know just how important security really is, to educate and to share our knowledge. To make our knowledge available in different organizational and technologic levels of languages, if you will.

As a technology provider in IT Security, PrimeKey can contribute in the education in several ways. We’re now working hard on making our complex solutions easier to understand and to show how organizations and governments can benefit from security using PKI. Techies around the globe speak our language and now we want to help them spread their knowledge in their own organizations. We want to give them the tools to educate their management on why they need to spend resources on security. This is done both by providing simpler and more high-level information and by showing what others are doing. I think that it is important that we all continue to learn and that we share our knowledge, not only with our own company but with each other. Part of this is that developers and specialists attend events like PrimeKey Tech Days, to learn and to network with each other. The IT-security community need to collaborate over organizational and national borders, we’ve got the knowledge and together we can create a higher level of security awareness all over the globe.

Talk to each other and share your best tips. What made your organization realize that you needed to invest in security? How do you keep your knowledge up to date? Meeting and talking to others in your field will give you both new knowledge and inspiration on how to improve your own organization. Step by step we’ll together increase the awareness and be one step closer to making the world of IT a secure place for all information and communication.  

Learn and Network at PrimeKey Tech Days

Read more and sign up