Enhancing cyber-security in the wake of the PSTIA

James O’Sullivan at Nuke From Orbit considers the importance of addressing the human element when keeping data on personal devices like smartphones secure

The recent enactment of the Product Security and Telecommunications Infrastructure Act (PSTIA) signifies a monumental stride towards fortifying our digital defences. However, it is imperative to acknowledge that legislation alone cannot fully safeguard our increasingly interconnected lives.

To truly fortify our digital defences in the wake of the PSTIA, we must confront a vulnerability often neglected in cyber-security discussions: the human element. 

The stats don’t lie

Recent consumer research conducted by Nuke From Orbit paints a troubling picture of UK smartphone users’ security habits. It has also been reported that 60% of UK businesses operate solely via mobile devices. Our research, which involved a comprehensive survey of over 1,000 smartphone users across the United Kingdom, revealed that 72% of respondents admitted to using the same password or PIN across multiple platforms, while 48% confessed to rarely, if ever, changing their passwords.

This behaviour, while understandable given the complexity of modern digital life, inadvertently introduces a critical security risk, akin to leaving the front door of your home unlocked. 

To compound this issue, many authentication tools, such as one-time passcodes (OTPs) or authenticator apps, are stored on the same devices as the apps they are designed to protect. In the unfortunate event of smartphone theft, which, according to the Metropolitan Police Force, saw a worrying rise in the latter half of 2023 and early 2024, these tools become utterly redundant, leaving users exposed to the devastating consequences of identity theft and financial fraud.

There is also a problem for consumers proving it was not them. The instances of ‘fraud fraud’—the act of saying you have been a fraud victim when you have not, in order to get refunds on banking transactions—mean banks are pushing back harder when strong security gets broken.  

The PSTIA, while laudable in its intent to strengthen the security of internet-connected devices, does not comprehensively address this deeply ingrained human element. Its primary focus lies in technical and infrastructural security, inadvertently overlooking the behavioural aspects that frequently serve as catalysts for cyber-attacks.

Action Fraud, the UK’s national fraud and cyber-crime reporting centre, has consistently highlighted that a significant proportion of cyber-crime and fraud incidents involve some degree of human error or manipulation. 

Education, Education, Education

To achieve a meaningful enhancement of cyber-security, we must transcend the boundaries of regulatory requirements and actively confront consumer complacency. The PSTIA provides a solid foundation, but it is incumbent upon us as an industry to build upon it.

Education emerges as a pivotal tool in this endeavour. We must raise awareness among individuals about the inherent risks associated with repetitive PIN usage, password reuse, and other insecure practices. We need to empower users with the knowledge and tools to make informed decisions about their digital security. 

However, education alone is not sufficient. It is equally imperative to provide accessible and user-friendly alternatives that empower individuals to effortlessly protect their digital identities.  

Collective responsibility

But the onus of cyber-security does not rest solely on the shoulders of individuals. Banks, digital wallets, social networks, and a myriad of other service providers bear a shared responsibility.

It is incumbent upon them to tailor their security measures to harmonize with customer behaviour, recognizing that convenience plays a pivotal role in user adoption. They must proactively collaborate with government and law enforcement agencies, as per recommendations from numerous cyber-security task forces, to create a more secure digital environment for everyone. 

One of the most potent strategies in this regard is the implementation of instant invalidation protocols for stolen data. If a user’s smartphone is stolen, their bank accounts, digital wallets, or social media profiles should instantly be locked down, effectively thwarting any attempts by criminals to access sensitive information. 

This proactive measure would mitigate the adverse impact of theft on individuals and significantly diminish the allure of smartphones as prime targets for criminals. 

What comes next?

The industry must invest in more robust authentication methods that go beyond simple PINs and passwords, while also acknowledging their limitations. Biometric authentication, such as fingerprint scanning or facial recognition, offers a potentially more secure and convenient alternative.

However, these methods are not foolproof, as fingerprint scanners can be spoofed, and facial recognition can be tricked by high-resolution images. Behavioural biometrics, which analyse a user’s unique typing patterns or swiping gestures, could add another layer of security but may not be suitable for all users or devices.

Multi-factor authentication (MFA), which requires users to provide two or more verification factors, such as a password and a fingerprint, can significantly enhance security but can also introduce friction into the user experience if not implemented thoughtfully. 

While device manufacturers are making strides in theft prevention, their solutions have limitations. Apple’s Stolen Phone Mode, for instance, while a useful deterrent, can be circumvented if a thief has access to the user’s passcode. Additionally, it does not address the issue of data extraction that may occur in the immediate aftermath of a theft.  

Google’s plans to utilise AI (Artificial Intelligence) to detect phone snatching and swiftly lock the screen are promising, but the effectiveness of such a system in real-world scenarios remains to be seen. That’s because it only addresses a subset of phone thefts, typically not the ones where a device is stolen with observed PINs. 

Furthermore, AI-based solutions may raise concerns about privacy and data usage. These technological measures, while helpful, are not a panacea for the issue of smartphone theft and data vulnerability. They must be complemented by robust user education and a multi-layered security approach that combines various authentication methods and proactive data invalidation protocols. 

The PSTIA, while a positive development, represents but a single stride in a protracted journey towards a more secure digital future.

To genuinely protect ourselves from the ever-evolving landscape of cyber-threats, we must confront the human element head-on. This entails educating consumers, equipping them with user-friendly security tools, and implementing proactive measures to invalidate stolen data.

Only then can we aspire to create a digital world that is both secure and convenient, a world where individuals can confidently navigate the digital landscape without fear of compromise. 

James O’Sullivan is the CEO of Nuke From Orbit, providing a service that allows subscribers to block access to multiple services and accounts simultaneously, avoiding account compromise issues and monetary loss when their smartphone gets stolen

Main image courtesy of iStockPhoto.com and AntonioGuillem