What role can design play in our fight against cybercrime?

Overcoming the cybersecurity challenge sounds like a difficult task. Even understanding the cybersecurity challenge might prompt blank stares from many. 

But it’s becoming something everyone needs to pay attention to, especially now we’re living more of our lives online than ever before – for work, education, and social connections. With that comes an increased risk of cybercrime. 

The Australian Cyber Security Centre received over 67,500 cybercrime reports during the 2020-21 financial year, an increase of nearly 13 per cent from the previous financial year. The ACSC also observed that self-reported losses from cybercrime during that time totaled more than $33 billion. 

What role do we as individuals play in overcoming the cybersecurity challenge? How much of the problem can be solved by design, and should technology be doing more? 

Last year we launched Future Led, an event series for the Liquid team that brings together experts on a particular topic to discuss what they know, share their insights, and offer any predictions they might have. 

Our final event for 2021 - Overcoming the cybersecurity challenge – included: 

  • Şebnem Kürklü, manager of Technology Transformation & Cybersecurity at Aurizon 
  • Dr Ivano Bongiovanni, lecturer and researcher on infosec at the University of Queensland 
  • Melissa Crossman, Chief Executive Officer of Cryptoloc Technology 
  • Rakalene Condon, Head of Product at Everledger 

IMG_1241 (1)

Left to right: Rakalene Condon, Melissa Crossman, Dr Ivano Bongiovanni, Şebnem Kürklü and Liquid's Jarrad Lawrence.

(For a TL;DR of the year’s previous topics, see this post.) 

How many devices do you own that are connected to the internet in some way? There are obvious ones like a laptop and phone. What about a watch, or fairy lights that you control through an app? How about a smart speaker or a robotic vacuum cleaner?  

And for all your internet-connected things, you’ve updated the username and password, right? 

“My colleague actually watched someone hack into a network through a toothbrush and take control of the entire network through an internet-connected toothbrush,” Melissa told us. 

Human error (or is it apathy?) is a factor in a majority of cybercrime. We all do things that we’re not supposed to do - in varying degrees, of course. Some of us use the same username and password for multiple things, and some of us click that link in an email because it “seems legit”. 

The consequences can be devastating. In mid 2021, Ireland’s public health system was held to ransom, resulting in the cancellation of outpatient clinics and healthcare services. It happened after an employee opened a spreadsheet attached to a phishing email. 

A day after our December event, the South Australian government revealed that the personal details of tens of thousands of employees had been accessed in a cyberattack, with a payroll provider falling victim to ransomware. 

“I think the first major step is not technical at all, it’s around general awareness and training. I think that’s the most important thing that every business can do,” Rakalene said. 

“When something bad happens, it touches everyone in a business.” 


Changing our behaviour 

To what extent does human behaviour need to change to help stop the proliferation of cybercrime? If we’re aware of the risks and adverse consequences of phishing emails or bad password management, why do so many of us continue to do the wrong thing? 

“I’m a big fan of unpacking the black box,” Ivano said.  

“Often times as employees we believe that you click on an email and then there’s a big chain of events that you don't really understand, you don’t know what’s going on - it's a big black box.  

“And then six months down the track, something bad happens to your company. Unpacking that big black box is essential because if people understand it, at least they start engaging with it.” 

Melissa added that having human-centred solutions was crucial for cybersecurity. 

“The working from home is the number one thing, when it comes to changes in the last couple of years, and people-centric security is now a massive trend,” she said.  

“A lot of that’s about no longer treating security as a perimeter and a network and an office, and actually trying to treat security from a people point of view, and the people logging on, because that’s the one common factor.” 


Removing the decision element 

Şebnem agreed that the end user is an important part of the solution, but suggested there was more we could do with our technical systems to limit the impact of human mistakes. 

“We need to remove the decision element where we can so the user is having to make fewer decisions,” she said.  

“While embedding technology into our users’ daily lives and enriching their experiences, we’ve added complexity into their lives by increasing the number of ways they can be a victim of cybercrime. Each click is now collecting more data and increasing the attack surface. 

“In these modern times, we cannot defend the user or the information by doing what’ve done in the last two decades. Yes, traditional security tools and cyber hygiene still have a part to play but we as technologists need to refine our vision. It is time to challenge the norms and innovate the way we protect the user and the data. 

“There’s a big job ahead to transform the way we architect things so that they’re defendable rather than an easy target.”