Protecting Ourselves in the WWW
By Shanuka Kadupitiyage
With the New Year already come and gone, it’s time for new beginnings in life. Surely all of us have things in our lives that we need to improve on. Among all of them, taking a step back and reviewing our digital habits is something that each and every one of us should be doing.
Besides Government institutions, the people of Sri Lanka also need to be made aware of how to better protect themselves digitally. Just as we hear of the news of Government websites and country domains being hacked each year, we often hear news of private data such as pictures and recorded video being revealed within social media and online groups.
Ceylon Today spoke with Sujit Christy and Asela Waidyalankara, two leading Cyber security consultants in the country to better learn about what the people of Sri Lanka should be aware of in order to better safeguard themselves when interacting with the ‘World Wide Web’.
Proper protection needed
Speaking with cyber security expert Sujit, it was explained to us that, “A country is made of people which consist of individuals and corporates. These people can be doing different things using technology. A lot of people use technology for good reasons and for wrong reasons.”
Because of that, it is Sujit’s opinion that having laws enacted in a country alone isn’t enough to protect the people from cyber attacks and invasion of privacy in the digital context. He stressed on the importance of having good practices and habits being a part of everyone’s life. Just as one would protect themselves from thieves even though laws against theft are enacted, having necessary laws in places won’t be enough to be protected digitally.
“When you build a house, you have to think about the gate, doors, locks, how you’re going to protect your windows and so on,” he said. “That level of emphasis has to go towards IT as well.”
Sujit and Asela both spoke about the existence of many types of cyber threats ongoing in the world today such as spyware and ransomware that could either spy on or hold an entire computer system hostage. Needless to say, these are the ones besides the usual viruses, phishing and other cyber threats each and every one of us are potentially exposed to, each time we connect to the web.
According to Sujit, there are different types of hackers behind these attacks who operate on two very different levels.
The first he explained, operate on a national level, with unlimited resources and sometimes, even funded by countries who would wish to launch cyber attacks or spy on enemy states to learn their secrets, steal intellectual property, and cripple enemy state infrastructure. According to Sujit, such attacks could happen in short or long term operations.
Then there are the commercially motivated hackers who work under hire, sometimes even by national-level operators. According to Sujit, while they might not have unlimited resources, these hackers are still able to deal serious damage to companies, people, and sometimes even Governments.
However, hacking and spying aren’t the only threats out there in the internet. Just as crime in the physical world is diverse and different in many different ways, so does it in the world of cyberspace, and both can bring devastating harm to the innocent victim, be it a person or an organisation.
“There are massive issues going on in the web; phishing, cyber bullying, and even slaver besides cyber attacks and ransomware,” Sujit explained.
“People have to protect themselves.”
After speaking with both Sujit and Asela, Ceylon Today found that both agree on the importance of spreading awareness among the people and providing proper information on how to protect themselves digitally.
Besides that, the State also has a duty to implement the legal framework needed for citizens to protect themselves digitally.
The two shared positive feelings towards the creation of a fully-fledged Cyber Security Act legislated from Parliament.
Besides new laws being implemented, Sujit spoke of a few other Government initiatives that are ongoing for Sri Lanka’s cyber security strategy.
“Now we are in the implementation stage,” he explained, telling about initiatives such as the National Cyber Security Operations Centre (NCSOC) and a five-year plan to further strengthen the country’s resilience against such threats.
“Having a national security operations centre has been something discussed about, for many years now,” said Asela when he explained about the initiative.
“It will be a centre that will monitor all the country’s critical national infrastructures. If it’s done right, it’s a good start.”
Ceylon Today learnt from Sujit that there are awareness campaigns being conducted among Government sector employees and plans of launching a citizen’s security awareness portal. However, there should be more campaigns in place to promote awareness in cyber security.
Not only that, both Asela and Sujit agree that education in good digital safety practices should be taught at a young age and continued.
What can we do?
While we can put pressure on legislators and push for cyber security laws to be passed faster, we have to take steps to protect ourselves as well, before and even after such laws are enacted by Parliament.
Ceylon Today asked both Asela and Sujit, two leading individuals in the field of Sri Lanka’s cyber security, for their advice on staying safe from unseen threats.
“Emphasis has been given on practicing hygiene in COVID times, such as regularly washing hands and disinfecting. Similarly, we need to practice digital hygiene in our lives,” said Asela when inquired.
Both Sujit and Asela shared many good digital hygiene habits that all of us can follow in our lives. Among the many, one of the most important habits that you could follow is to be protective about your password.
“Regularly change the passwords for all your digital accounts,” said both Sujit and Asela. “My rule of thumb is ‘change your password when you’re changing your toothbrush’,” Asela added.
Another bad habit that must be avoided is using the same password for multiple websites and accounts. Doing so means that all a hacker would need to know is one password to access all of your digital services, from your Facebook account to your online banking service.
If memorising all your passwords is tough, you can use a password manager. These are services where you can randomly generate strong passwords for your digital accounts, then save it in one universal software application for a monthly fee. Then all you need is to remember the password for that application only, or even better, use biometrics (fingerprint, face ID) to protect that account from those that would want to get it.
Also, wherever possible, use two-factor or multi-factor authentication as an additional layer of security on your digital accounts. Doing so will add an additional layer of security to the password you have in place. Additionally, it also means that you would know when someone is trying to access your account besides you.
“As an individual, it’s crucial that you don’t over-share, revealing private information that people could use as hints to make educated guesses on your password. Don’t make the hacker’s life easy,” was Asela’s additional advice who also warned the dangers of sharing too much personal information can put both you and the people close to you in more danger of cyber threats.
“Just like we have to teach children basic hygiene habits, we have to teach them how to protect themselves digitally,” Asela continued.
“Companies spend a lot of money on teaching these to employees because poor practice in digital habits has led to massive damages to corporations. Not following such habits leaves you digitally vulnerable to attacks.
“Following good digital hygiene is something that each and every one of us should nurture within us. This is especially true because with 5G being introduced, we will be thrust into a completely new digital age where everything is seamlessly connected and the boundary between online and offline will be blurred even further.”
Why it matters
In a world where digitisation is becoming more and more commonplace, our lives are becoming ever-increasingly dependent on the services we utilise online.
With the internet gaining a larger presence in our lives, big corporations such as WhatsApp, Facebook, and Google take advantage of that and collect our usage data and sell all this data for profit, hence we are able to use their services for free.
“I think it was the Economist magazine that once said, ‘Data is the new oil’, and it is true,” Asela said.
“Big tech companies are earning money by using and exploiting people’s data. Depending on our usage of their services, they know our name, age, sexual orientation, political views, hobbies, places we like to visit or eat at, almost every aspect of our personal lives.”
It’s common sense that not only social networks and productivity software, even governments hold extremely private and sensitive information of its citizens, and with the digitisation movement to increase productivity and efficiency, the amount of information about a citizen available online is increasing. On both fronts, having weak cyber security measures leaves this information vulnerable, and if hacked into, could undoubtedly wreak havoc on people’s lives.
Prevention is crucial when there’s no cure
Unfortunately, there is no definite and foolproof way to prevent a cyber attack from occurring. There is no such thing as a perfect system. Even the smallest of weaknesses could be exploited and used to break into. However, just as a good lock keeps most of the thieves from breaking and entering, having good cyber security measures in place reduces the chance of a breach from happening and increases the chance of you preventing a breach from happening in the first place.
Being able to prevent breaches is crucial in the world of cyber security, because there is no way to get data back once its security has been compromised.
A culture of awareness
Both Sujit and Asela agree that there should be a change in attitude towards being protective of personal data and information. Not only should people be concerned about what personal information of theirs is being used online and what for, but they should also be aware of the implication of such information being exploited by unscrupulous parties. They should also be educated on what actions they can take in order to protect themselves and take action against those who misuse personal information.