Survey reveals sorry state of European cybersecurity
27 February 2015
Cybersecurity experts Julio Hernandez-Castro and Eerke Boiten respond to the European survey on cybersecurity.
The European Commission's annual Eurobarometer Cyber Security Survey, the third edition of which was recently released, is a substantial survey of more than 27,000 respondents from 28 countries. It contains interesting and, more often than not, disappointing revelations about the state of Europe's security.
As specialists in the field, we look forward to the report's release. But as we wrote a year ago, the complete lack of media and expert interest in the study is amazing. Heaven help the survey authors if they have to justify its impact based on media coverage.
Falling on deaf ears
The UK government has adopted a bizarrely triumphalist discourse around cybersecurity, one that is clearly at odds with the experience of the 1,329 survey participants from the UK. In fact, year on year the survey results reflect that the UK is not in a good position, particularly in comparison to some of our more advanced neighbours. This is probably not what Downing Street wants to hear or publicise – particularly in an election year – as it seems that providing some sort of external or independent accountability for the impact of the hundreds of millions of public money spent is not a top priority.
The UK is not alone in its disdain for the survey's results, which were similarly disregarded by most other Europeans. It's a sad outcome for the only large, non-commercial, unbiased, and independent survey on this important topic.
Eurobarometer survey results
There are lots of facts in the report, including some that are very apparent to most people: internet use is up, mobile internet use is leading the way, Europe shows a marked digital divide between nations like Sweden and The Netherlands and others like Bulgaria, Romania and Greece. Other findings include how more than half (57%) of Europeans shop online, 23% sell online, and 54% use online banking. That last figure is relatively large, in our view, taking into account the associated risks.
The two most common concerns of European citizens are the misuse of personal data and the security of online payments – responders were significantly more worried about both than they were last year. At least, good practices such as installing antivirus software (61%), not opening suspicious-looking emails (49%), and being careful not to give away personal information (38%) seem to be increasingly popular.
Not only are people more concerned with the risks of cybercrime but 47% believed they were well informed, up from 44% last year. They claimed to avoid disclosing personal information online (89%), believed the risk of cybercrime is increasing (85%), and were concerned their personal information is not kept sufficiently secure by websites (73%) or public authorities (67%). This last point is worth emphasizing: two thirds of the citizens don't trust the government or any other public authorities to keep their personal data safe – there is a large margin for improvement here.
Citizens are worried about identity theft (68%), malware infection (66%), online banking or bank card fraud (63%), having email or social media accounts hacked (60%), receiving scam phonecalls or emails (57%), or coming across racial or religious hate material (46%) or child pornography (52%) online. Interestingly, 47% are concerned with cyber-extortion and ransomware – a relatively new method that's been very profitable for cybercriminals of late. In all cases, concern is up on last year.
Quite shocking is the finding that, despite being apparently aware of the many risks they face online, an incredible 74% of respondents thought they were able to protect themselves sufficiently from cybercriminals. We simply haven't the words to express what overconfidence this demonstrates, and how unrealistic and dangerous it is. Computers and network security are complex matters – most people's understanding of them, including ours, is at best incomplete and at worst practically absent. How people can believe they can protect themselves after, for example, having already discovered malware on their devices (as reported by 47% of respondents) is beyond us.
What needs to be done
Denmark, the Netherlands and Sweden are the three leading European countries for internet use. That might naturally imply correspondingly higher levels of cybercrime – but the survey findings suggest not. Whatever these nations are doing in terms of education, investment and technology development, we can do much worse than learning from then – or at the very least imitating their good practises.
As ever the UK results are discouraging. Britain misses the leading group by a large margin, and despite well-publicised government campaigns and huge investment in cybersecurity, we show very little overall improvement. Britain leads the way in misplaced confidence: 89% feel we can protect ourselves against cybercrime, which is a bad omen. It experienced the largest yearly increase on accidentally finding materials promoting racial hatred or religious extremism. And the UK also tops European tables of bank card and online bank fraud with 17% of citizens affected. The average is 8%, and in Germany for example the rate is 2%. The UK performs poorly in other areas too, casting a cloud not only on the UK but on crime rates for the whole of Europe.
More positively, the UK seems to be good at changing passwords and feeling well-informed about cybercrime, is among the leading countries where citizens are concerned over the use of their personal data, and also enjoyed the largest fall in scam emails and phone calls. Despite the large increase from last year, it's also still extremely rare for UK users to encounter child pornography or racial or religious extremism materials online.
One problem is that the government's information campaigns are focused largely on companies rather than individuals – some may argue that in this respect it's no exception to Tory policy in other areas. Thus the Eurobarometer survey is probably not doing justice to the current UK government's considerable, but possibly misguided, efforts.
People, not companies, should be prioritised; legislation and incentives should be aimed at protecting citizens and helping them to protect themselves. The main response to mistrust of government use of their data, in particular, should be to give them back more control. There have been some positive moves from Labour and the Liberal Democrats in that direction – but for now they are merely pre-election promises.
At the very least, could future governments please copy whatever it is they're doing right in Sweden, Denmark, the Netherlands and some of our other more competent neighbours?
Article first published in The Conversation and republished with permission.