Written by Graham Day author of Security in the Digital World
Duty of care
Where is the duty of care in information security? Who has the responsibility to protect the home user, the general populace, the person who does not have an information security professional on call? Ideally, every new technology would have all the necessary protections in place and advisory labels attached. Unfortunately, most commercial entities do not favour this business model. Their objective is to create profit, and this is not generally achieved by acting conscientiously and responsibly, or at least there is little support for it.
Internet and Technology
Every child wants the latest smartphone so they can speak to their friends and not miss a single thing. They want the latest interactive toy so they are the coolest in school. Parents, meanwhile, want to make the home as secure as possible, for example by installing CCTV. The Internet makes all this possible, but do we really understand what the new technology does, or what it is capable of?
What is a risk? This can be difficult to define – risk is different for each of us, as is how we choose to manage it. To help us identify the risks we face, we can use risk assessments. A risk assessment will identify all or some controls that can be applied to either a device or the way we manage our access to the Internet, and list it so you can select which risks are managed. When the user identifies the risks that are not yet managed, the risk assessment can show how much risk still exists for the user.
Updates and patches
With every piece of technology we use there is an inherent risk, which means the natural level of risk that comes with the technology. These risks might allow an attacker, a criminal hacker, to take control of the technology device, copy all your ‘sensitive’ information (such as banking details) or even learn something about you that could be used against you. Those creating the technology must do what they can to reduce these risks for the end user. Companies use controls to manage these risks; for every vulnerability or weakness a control is applied. But technology builders are in a constant race. Each technology company is competing to be the first to release a device to the world, aiming to corner the market and make the most profit. In some cases, the technology is released before all the vulnerabilities are identified and controls are put in place. It is therefore necessary to make sure the device is configured for regular updates and patches. These are the add-ons that manufacturers issue to fix any vulnerabilities and protect against any new threats that may have developed since the device was released.
Protecting children online
Whose job is it to protect children online – the regulator, the makers of applications such as Facebook or Snapchat, society, schools or the child’s parents?
- The first is not an option – there is no Internet regulator. Is it even possible to regulate the Internet? There are so many levels of activity on the Internet it could be argued that it is an untamed beast that will never be brought under control. It is therefore unlikely that any regulatory authority would ever be singularly able to achieve this task. It is also highly unlikely it will ever be possible to form a council that could agree internally on what would be an acceptable level of security for the Internet, let alone regulate it.
- What about the makers of applications such as Facebook, Snapchat and Twitter – should they be responsible for protecting children online? Ideally, yes. Ideally, there would be a magic switch that protects anyone under the age of 16 online. Unfortunately, there is a significant issue with this scenario – how does the application know if a person is under 16, or if they are telling the truth about their age? There are ways to accurately identify the age of a person, but this sort of verification is not routinely available when a person signs up to an application. Maybe in a century or so each person on the planet will carry an identification card that contains their biometric data and is impossible to forge, but until then an application has to believe what the user is telling it, so the second option is not an option.
- The third option is society. This is an impossibility, because society is so diverse that it is implausible to think there is a standard that could be agreed upon among so many territories, let alone applied.
Should it be the job of schools, then? Is this feasible? Schools can raise children’s awareness of online dangers, but they can only deliver the information. The school cannot force a child to listen, and can certainly not enforce or monitor. Schools already have a challenging and demanding role to play, so is it realistic to expect them to become information or cyber security experts too?
Realistically, there is only one option for the protection of children online – their parents. Although there can be no expectation for parents to become information or cyber security experts, they should accept that the onus is on them. It is up to the parents to make their child aware of online threats, teaching them that not everything may be as it seems. The key message is ‘think twice, click once’ – that second thought could save a child’s life!
From the top ten tips and the breakdown of consumer risks, to social networking and parental security, this book is an essential guide for anyone and everyone trying to stay safe and secure in the evolving digital world.
Save 15% on Graham Day’s book Security in the Digital World.
Enter discount code ‘SEPT15’ at the checkout.
Register for our newsletter to receive updates on our latest posts.