Saturday, 26 March 2016

Was Met Police Chief Right?

Sir Bernard Hogan Howe, the current Commissioner of the Metropolitan Police in London, recently set the cat among the pigeons by putting more onus on the public to protect themselves from online bank fraud.  He said:

"If you are continually rewarded for bad behaviour you will probably continue to do it but if the obverse is true you might consider changing behaviour.

"The system is not incentivising you to protect yourself. If someone said to you, 'If you've not updated your software I will give you half
[of your money] back', you would do it."

Almost immediately he was rounded upon by various consumer groups, who typically branded his remarks as "spectacularly misjudged".

I might have put the point slightly differently (something more like "One is not necessarily incentivised to protect oneself against online bank fraud at present") but essentially I think he had a point.  I've written for several years on this subject, and at the risk of making myself deeply unpopular, I believe very strongly that everyone has a part to play: it is a joint effort.

I was interested to hear from several small businesses to whom I was talking in a seminar last week that they felt the best way to deal with the threat was to take out insurance against cyber attacks.  Not surprisingly there are many insurers in the market who will provide just that. But, read the small print.

Just like your domestic home insurance, the underwriters of insurance polices expect you to have taken "reasonable" steps to secure your property.  If you were burgled and you had no locks fitted to your front door, do you really think your insurer should pay up?

Now of course the big question is what constitutes "reasonable steps".  Originally for a house it was that you had to have a lock on the doors; then locks on windows; then five-lever mortice deadlock conforming to BS 3621; and so on. What is expected evolves over time.  In fact you probably could obtain insurance for your house if you had no locks fitted but the premiums would be astronomical.

Risk management has 2 dimensions: likelihood and impact.  We have to accept that the likelihood of attack is high in general so we must differentiate between those of us that will be highly impacted and those that will suffer minimally. And, ask yourself if you think your bank should really be any different to your insurer?

I'm sure banks may be tempted to use investigation of attacks and consequent losses to delay payment. It was the immediate concern of consumer groups that by not having automatic refund of stolen funds, banks would procrastinate.  Maybe so, but this is where Sir Bernard Hogan Howe was right, in my opinion.  By automatically refunding customers, regardless of circumstances, they will equally be tempted to do nothing to secure online interactions.

It's not complicated: there are some immutable laws of computer security which if you follow you will significantly reduce your risk.  You could do worse than read the piece I wrote for the BBC at Christmas last year.

This is not something that is entirely beyond your control, and the scale of the problem is set to continue to increase as criminals move online, so do not be surprised if attitudes harden.  Everyone has a part to play and, whilst it is wrong to put the entire onus on the end users, bank customers must bear some responsibility for securing their systems.