Arnie Armstrong, Cyber Security Principal at Made Tech, explains why a user-centred cyber security approach is vital to local government
We often hear that the biggest cyber security vulnerability in any organisation is its own employees, but is this really the case?
Arnie Armstrong, Cyber Security Principal at Made Tech asks, could it instead be that our existing systems and processes were not designed with people in mind? And do we need more education within teams? Could user-centred cyber security be the answer?
We often hear that people represent the weakest link in security. But in reality, it’s a problem created by designing systems and processes that are not people focused.
The creation of the National Cyber Force in 2020 and the release of the National Cyber Strategy 2022 represented both a significant step up in our offensive cyber capability and a renewed focus on supporting the public sector’s defensive cyber capabilities. Through the Strategy, the government shared their goals for making the public sector more resilient, helping councils protect their systems and citizens’ personal data from ransomware and other cyber-attacks. But despite these safeguarding efforts, 39% of UK businesses identified a cyber attack in 2022.
And it’s showing no signs of slowing. More than a third of public sector organisations struggle to deal with 26-50 cyberattacks daily. The public sector puts this down to a need to upskill staff on tools and processes, failure to follow security policies and procedures and being held back by limitations of cyber security infrastructure.
Through the National Cyber Strategy 2022, the government aims to do more to protect UK citizens and companies and its international partners. But let’s be clear. There’s no such thing as an unhackable system. The best way for local government to protect itself is to create cyber security policies and measures designed with people at the core.
Designing for security and the user
User-centred design (UCD) is about the people using a product or service and their needs. We focus on them in each phase of the design process. We’ve seen the public sector UCD community mature and grow in recent years as we gradually digitalise processes, systems and services. To make sure our public sector is as secure as it can be, we should be applying this user-centred approach to cyber security too.
How often have you created a password including the necessary nine characters, one capital letter, one lowercase letter and one number… and then forgotten it? This can be frustrating when all you want to do is check your recycling collection dates, for example. If something becomes frustrating, people find a way around it. In this case, we see people using the same password for everything. And that, in turn, makes it useless or certainly less secure. This is a fitting example of when we don’t think about every problem from a user’s perspective. We’re designing for security, but we’re not designing for the user – and this is why we need to think about user-centred cyber security.
Do we really need passwords?
If we take the traditional approach to authentication, to create a login, you need a username and password. Most of us consider password-based authentication the most simple and effective security solution. Yet passwords are fundamentally flawed because we are in the habit of thinking about a password that we must always remember. This, by default, makes it less secure. Other authentication means would be not only more user-friendly but safer.
A one-time password to our phones can ease usability and remove the need for the traditional authentication method. A solution like this is much more appropriate for paying council tax.
Can local government securely store our data?
This also begs the question, should local government be the owners of a username and password database for citizens? Is this the best place for our sensitive data?
Local authorities provide essential services for thousands of people in their communities. Because of this and the many restrictions on their finances, cyber security simply cannot be a council’s top priority. But there are centralised government services that have the skills and resources in place.
The central government typically has a large security team and good security processes to protect your data. For example, the Government Digital Service’s One Login allows users to sign into government services with a single login, replacing the 40+ logins previously required. Centralised services like this can ease the strain on local government.
One Login is great, and services like it shows progress towards more user-friendly cyber security. But there’s still much more we can do locally to improve usability and reduce the chances of a security breach.
What is at the heart of user-centred cyber security?
With all this in mind, there are steps that local authorities can take to make sure people remain at the heart of any user-centred cyber security strategy.
-
Do the work to understand your users
We shouldn’t assume that something that’s become the norm is automatically the best approach. Passwords are a great example of this; they work in many instances, but not all.
Discovery exercises sit hand in hand with the way services are designed. They allow you to understand what a user is trying to achieve and the steps they might take to get there. Discoveries uncover exactly what people need from products and services at each step of their journey, and they’re the best way of understanding someone’s perception of cyber security. Do they prefer a password and username-style login? Are they good at creating secure passwords? Would they prefer a different type of authentication? All these questions can be answered in the discovery phases.
-
Collaboration across skillsets
A user researcher will do a fantastic job uncovering the needs of your users. But when addressing these needs, you must also align with your cyber security requirements. Look at it from the other side – will your fit-for-purpose authentication methods make sense to the user? Your engineers and researchers must work together to make sure all requirements are covered right through to launch day.
-
Invest in training
Software engineers should not just practise the importance of cyber security but everyone. To appreciate its importance, we need to understand how it works, which means training. Local government teams may need help identifying which skills they’re missing. Working alongside external partners can help teams develop this knowledge and capabilities.
Research is the way forward
Maybe we’re not quite ready to erase passwords forever, but we should be spending more time thinking about how valid their usage is in new systems. Can we do better for our users by understanding them in greater detail? If 90% of users access a service from a smartphone, couldn’t we use an app-based token for authentication? If most of our users have Google accounts, couldn’t we leverage that account and save ourselves the risk of holding data?
Research, research, research is the way forward. We must take the time to understand our users and then build our cyber security measures around that to protect our people, our data and our public sector services.
Written by Arnie Armstrong, Cyber Security Principal, Made Tech