Trust in digital services is low - but is that a good thing for security?
Overall trust levels settle out at 54 percent, and only banking services escape with any real credibility on 59 percent, while e-commerce sites are least trusted on 16 percent.
Within its rather confusing variance in trust scoring metrics, UK users only reached a 3.4 out of five level of trust when making a purchase and a shocking two out of five for sharing personal information on social media, so it's hard not to be concerned.
By the Oxford dictionary definition of trust, which describes it as a "firm belief in the reliability, truth, or ability of someone or something," the Internet has failed on all counts across many years.
Or has it? Could a low level of trust actually be, believe it or not, a good thing as far as security is concerned? That's what we've been trying to determine.
Let's start with the role of security in establishing trust, and given the kind of low figures revealed in the Digital Trust Index report look where things have gone wrong?
"The role of security, and our expectations of it, have changed over the years" argues Paco Garcia, CTO at Yoti. "We've moved from the belief that we can create an impenetrable wall to the realisation that methods and technology move so quickly that companies are easily being left behind or outsmarted by hackers."
In other words, according to Garcia, the role of security has become more focused on adapting to potential breaches rather than preventing the breach in the first place.
Simon Crosby, co-founder & CTO at Bromium meanwhile, wonders if the fact that there is no granular isolation construct, "that guarantees that the principle of least privilege will be consistently applied to applications and data, no matter how severely compromised the system may be," is the problem.
Talking to SCMagazineUK.com Crosby added, "If an attacker masquerading as a trusted friend can trick me into executing his code in good faith, thereby elevating his trust, he can easily gain access – to everything."
So today's user is faced with a barrage of decisions about trust and any email could harbour an attack. "But when the probability of an attack is low," Crosby insists, "systems that try to protect the user typically fail because they fail to accommodate our humanity."
So what needs to be done, what can we as an industry do, to generate more trust in the Internet? Nathan Wenzler, executive director of security at Thycotic, a Washington DC-based privileged account management solutions provider, says that, "the information security community absolutely is the key point of responsibility to ensure that digital trust is maintained. Historically, I think we can show that a fairly good job has been done to accomplish that."
True, new encryption algorithms are being developed to be stronger and harder to break, along with new authentication and authorisation schemes that have been created (such as two-factor authentication) to build additional protections around accessing data.
"Security teams need to keep finding ways to explain the importance of security protocols in easy to understand ways" Wenzler told SC. "Organisations need to advertise what they do with more transparency and, in many cases, take security more seriously."
The trust the Digital Trust Index report is highlighting is the perceived trust, and in this case, it's everyone's responsibility to raise the level of awareness and understanding of this entire matter.
Neil Costigan, CEO of the behavioural biometrics firm BehavioSec, agrees that high profile hacking and cyber-crime headlines in recent months have highlighted the detrimental impact of a company not having the correct security measures in place, which in turn heightens consumer concerns around privacy.
Costigan says: "Much of this lack of trust likely stems from the fact that consumers feel that their online security lies very much in their hands - their ability to remember and manage multiple login details and passwords."
To re-establish the trust, service providers need to change the way they think about security, taking an increasingly layered approach to focus on continuous authentication. This behind-the-scenes security would help give the user confidence that they are protected and verified not only when they log on, but throughout the duration of the session.
"Consumers should be part of the security solution rather than the problem," Costigan told SCMagazineUK.com, concluding, "however, this should not introduce a layer of complexity that requires either expertise or access to specific software. We must take the responsibility away from the end user, and put it back in the hands of security officers and fraud specialists."
Which bring us to that idea of low trust levels actually being a good thing. Here's the pitch: does low trust equate to users which are more risk-averse and so, in theory at least, likely to be more security savvy?
Brian Spector, CEO of MIRACL, doesn't think it's a fair question. Instead he reckons we should be asking if it is ethical for the GAFA players (Google, Apple, Facebook and Amazon) and the corporations that service them to allow millions of people to enter an unsafe space?
"Is it an exchange between what the GAFA player gains from a new user," Spector asks, "and what the new user can potentially lose?" What's more, Spector reckons that meaningful change in security and trust will not come from those who currently hold power across the Web. Instead, "we need to change who holds the power in the relationship."
Meanwhile, Steve Bell, a security expert at BullGuard, reckons it's a very good question that illustrates the dichotomy about internet security. "If organisations had taken security seriously years ago we wouldn't be in the place where we are today" Bell said in a conversation with SCMagazineUK.com
For instance, only recently has security moved up to the boardroom, and even then this is among a relatively small number of businesses. In most cases the CIO sits below the board level. However, given that many businesses have been lax, a level of responsibility does sit with users.
"This is a positive and it's certainly driving awareness among users," Bell insists. For example, malware, phishing, and ransomware are now terms that most people are familiar with. And many people understand the need to protect against these dangers through the use of good antivirus software and good online practises. So in this context, low trust actually drives good security practise.
Josh Bressers, security strategist at Red Hat, thinks of it more as an oxymoron. "Low trust is never good," he told us, "but I also wouldn't say I see a growing level of security savvy."
Bressers says that there's a clear gap between security perception and reality. "The security industry has not done a good job of engaging with normal people," he says. "They don't really know what to do or where to start. What some think of as "savvy" today is often the opposite of recommended practices by security professionals."
Stephen Love, security practice lead at Insight, agrees that low trust is never a good thing, arguing that it makes us wary but not more risk adverse? "I think it's a case of hope for the best," he told us.
Indeed, it's something of a paradox that some level of distrust helps establish a greater level of security; making a world without distrust somewhat undesirable. "We gain trust by being able to understand and control things," concludes Oscar Marquez, CTO at iSheriff. "The internet is no different and we only need to understand and control the parts that affect us," he says.
It's likely, therefore, that each person understands their online world and distrusts the larger, less known internet. These are the forces pulling on the Digital Trust Index.