Is cyber security in local government user-centred enough?
Written by Arnie Armstrong, Principal Security Engineer, MadeTech
We often hear that the biggest cybersecurity vulnerability in any organisation is its own employees, but is this really the case? Arnie Armstrong, Cyber Security Principal at Made Tech asks could it instead be that our existing systems and processes were not designed with people in mind? And do we need more education within teams?
We often hear that people represent the weakest link in security. But in reality, it’s a problem created by designing systems and processes that are not people focused.
The creation of the National Cyber Force in 2020 and the release of the National Cyber Strategy 2022 represented both a significant step-up in our offensive cyber capability and a renewed focus on supporting the public sectors defensive cyber capabilities. Through the Strategy, the government shared their goals for making the public sector more resilient, helping councils protect their systems and citizens’ personal data from ransomware and other cyber-attacks. But despite these safeguarding efforts 39% of UK businesses identified a cyber attack in 2022.
And it’s showing no signs of slowing. More than a third of public sector organisations struggle to deal with 26–50 cyberattacks every day. The public sector puts this down to a need to upskill staff on tools and processes, failure to follow security policies and procedures and being held back by limitations of cybersecurity infrastructure.
Through the National Cyber Strategy 2022 the government aims to do more to protect UK citizens and companies, and its international partners. But let’s be clear. There’s no such thing as an unhackable system. The best way for local government to protect itself is to create cyber security policies and measures designed with people at the core.
Designing for security and the user
User-centred design (UCD) is all about the people using a product or service and their needs. We focus on them in each phase of the design process. We’ve seen the public sector UCD community mature and grow in recent years as we gradually digitalise processes, systems and services. To make sure our public sector is as secure as it can be, we should be applying this user-centred approach to cyber security too.
How many times have you created a password including the necessary nine characters, one capital letter, one lower case letter and one number… and then forgotten it? This can be frustrating when all you want to do is check your recycling collection dates for example. If something becomes frustrating, people find a way around it. In this case, we see people using the same password for everything. And that in turn makes it useless, or certainly less secure. This is a fitting example of when we don’t think about every single problem from a user’s perspective. We’re designing for security, but we’re not designing for the user.
Do we really need passwords?
If we take the traditional approach to authentication, to create a login you need a username and password. Most of us see password-based authentication as the most simple and effective security solution. Yet passwords are fundamentally flawed because we are in the habit of thinking about a password that we must always remember. This by default makes it less secure. There are other authentication means that would be not only more user-friendly, but safer.
A one-time password to our phones can ease usability and remove the need for the traditional authentication method. A solution like this is much more appropriate for services like paying council tax.
Can local government securely store our data?
This also begs the question, should local government be the owners of a username and password database for citizens? Is this the best place for our sensitive data?
Local authorities provide essential services for thousands of people in their communities. Because of this, and the many restrictions on their finances, cyber security simply cannot be a council’s top priority. But there are centralised government services that have the skills and resources in place.
Central government typically has a large security team and good security processes in place to protect your data. For example, the Government Digital Service’s One Login allows users to sign into government services with a single login, replacing the 40+ logins previously required. Centralised services like this can ease the strain for local government.
One Login is great, and services like it show the progress towards more user-friendly cyber security. But there’s still much more we can do at a local level to improve usability and reduce the chances of a security breach.
Putting people at the heart of cyber security
With all this in mind, there are steps that local authorities can take to make sure people remain at the heart of any cyber security strategy.
Do the work to understand your users
We shouldn’t assume that something that’s become the norm is automatically the best approach. Passwords are a great example of this, they work in many instances but not all. Discovery exercises sit hand in hand with the way services are designed. They allow you to understand what a user is trying to achieve and the steps they might take to get there. Discoveries uncover exactly what people need from products and services at each step of their journey and they’re the best of way of understanding a someone’s perception of cyber security. Do they prefer a password and username-style login? Are they good at creating secure passwords? Would they prefer a different type of authentication? All these questions can be answered in discovery phases.
Collaboration across skillsets
A user researcher will do a fantastic job uncovering the needs of your users. But when addressing these needs, you also need to align with your cyber security requirements. Look at it from the other side — will your fit for purpose authentication methods make sense to the user? It’s vital your engineers and researchers work together to make sure all requirements are covered right through to launch day.
Invest in training
The importance of cyber security should not just be practiced by software engineers, but everyone. To appreciate its importance, we need to understand how it works and that means training. Local government teams may need help identifying which skills they’re missing. Working alongside external partners can help teams develop this knowledge and capabilities.
Research is the way forward
Maybe we’re not quite ready to erase passwords forever, but we should be spending more time thinking about how valid their usage is in new systems. Can we do better for our users by understanding them in greater detail? If 90% of users access a service from a smart phone, couldn’t we use an app-based token for authentication? If most of our users have Google accounts, couldn’t we leverage that account and save ourselves the risk of holding data ourselves?
Research, research, research is the way forward. We must take the time to understand our users, then build our cyber security measures around that to protect our people, our data and our public sector services.
Originally posted here
Originally published at https://digileaders.com on May 11, 2023.