Insanity, it is often said, is doing the same thing over and over again, with the expectation of different results. If this is correct, data security experts in the UK and globally are fast approaching insanity.
In a paper titled The State of Security 2023 by security platform provider Splunk, it was reported that when bad guys get into a system, their average dwell time is nine weeks. Cyber criminals are living comfortably in our systems without our knowledge.
In organisations of all sizes, Splunk tells us, cyber security experts spend 31 per cent of their time addressing emergencies. Of those events, 48 per cent result in a breach of confidential data.
The UK’s National Cyber Security Centre says in the 12 months to March 2022 there were 2.7 million cyber-related frauds, including 18 ransomware incidents that required a nationally coordinated response.
“The current system doesn’t work,” says Muttukrishnan Rajarajan, Professor of Security Engineering and Director of the Institute for Cyber Security at City, University of London. Rajarajan also advises the London Cyber Resilience Centre, the European Commission, other government bodies, banks and others.
“The big tech companies still take total ownership and control of how data is being shared, and this monopoly is causing serious problems,” he says. “One of the biggest challenges is that these companies are not transparent to the consumer or the data owner, who are simply having technology pushed upon them.”
Creating human solutions
A new project Rajarajan is working on, funded by the European Commission to the tune of €8 million, aims to identify innovative technology that will help design humans into data security. That technology must be completely transparent and easily understood, he says, so people don’t have any fear of using it.
He points to the sort of inclusive technology Apple has produced in the past, designs and interfaces that make technology simple to use and understand – such as Apple Wallet – as inspiration.
“We are working with social scientists, anthropologists and other human behaviour scientists to see how ethnography and psychology should be built in to the design phase itself, so that we are aware of the technology that is going to help us move forward,” Rajarajan says.
People need to be comfortably and confidently in control of the technology, he says, rather than the technology being in control of them, if society is going to successfully implement the next generation of data security.
The theme of that next generation will be decentralisation, removing data from big tech firms and giving it back to the individuals who own it.
Our wallet, our smartphone, our data
In Europe, Rajarajan says, there is a digital wallet being developed that will contain digital Euros. In the UK, a similar digital wallet is being produced, one that will contain digital Sterling by 2025.
“The biggest challenge is that users currently have multiple wallets,” he says. “So, I could have one for my cryptocurrency, one for my identity and another for managing my Fiat currency in digital form,” he says.
“They are all vendor-specific. I need to go to Barclays to get my Barclays wallet. I have to go for my passport to the European Commission if I’m in the European Union. If I’m in the UK I have to go to the HM Passport Office and get my passport credentials for my digital passport.”
By following this path we will end up back at the centralised model where large institutions own and hold all of the data. This makes them targets for cyber criminals and means any data breaches will result in large amounts of confidential data being released.
“The way forward is to give the user total control, so they can pick and choose how they manage their wallet,” Rajarajan says.
“This means the digital wallets, first of all, must be device-agnostic. They mustn’t be specific to Apple or Samsung, for example. The big tech companies want to control that – they want to monetise our data. But if I’m given total control over how I manage my own wallets, then I have control over how I share my credentials with different parties for payments or identity establishment or asset management. That is the way forward.”
The future is already here
If we look closely enough, we can already see glimpses of the future of data security and data ownership, Rajarajan says.
Look at the disruptive banking services that are beginning to find traction, he says.
“They are offering better services, real-time payments, none of the large commissions,” he says.
“That’s going to change the way retailers work because if we can pay retail in real time, then transactions can happen on the fly as goods are delivered. I don’t need to have an account with a big bank, or to clear my account every 30 days. All of that is going to be obsolete going forward.”
What does this have to do with data security? A user-centric, decentralised system minimises that single point of failure. It removes the honey pot, the treasure trove of confidential data currently held centrally by large organisations that so often fail in their duty of protection, and that are often successfully targeted by cyber criminals.
“With the future model you have multiple entities collaborating to provide services instead of being a central store of data that can be hacked. This is a better way in terms of consumer protection.”
Of course, the Consumer Credit Act 1974 is currently facing reform. The Act regulates an industry worth £200 billion including credit cards, personal loans, hire purchase and pawn-broking. These sectors are being pushed by these reforms towards being more customer-centric, towards better managing individual risk and being more human, Rajarajan says.
And so, he says, the future of data management will be decentralised, owned by individuals and managed within digital wallets, including our identity papers such as driving licences and passports.
“Digital wallets will drive the market going forward, and that’s good. That’s going to give total control to the end users,” Rajarajan says.
“It will also mean greater data minimisation. Right now, many providers don’t guarantee data minimisation, even though [UK] GDPR says it should be maintained in all instances. If I open a bank account, they always ask me for more information than they should.
“The future will be about giving the consumer more control over the information they share and the ways they can monetise their own data, rather than the big players monetising their data.”