Inclusive Cybersecurity: Keeping Vulnerable Users Safe


MAY, 2024

Staying safe online is important to keep our data safe. 

Not every user has equal access to the necessary security and information needed to protect them from online threats. People with disabilities and vulnerabilities face unique challenges with web accessibility and staying safe online.

To make disabled users feel safe online, we must improve our digital accessibility. This includes making cybersecurity easier to understand and widely accessible to vulnerable web users.

To address cybersecurity risks, we have to consider accessibility and inclusivity. Inclusive security must ensure a perfect balance of accessibility and digital security regardless of disability and resources.

What is Inclusive Cybersecurity?

People with disabilities can face additional barriers and vulnerabilities online.

Inclusive cybersecurity is about ensuring that people of all abilities can participate in the digital world safely and securely. It concerns the design and integration of digital security measures that cater to the specific needs of individuals.

The goal of inclusive cyber security is simple. Ensure everyone has equal access to the necessary accessibility tools and resources required to protect them from cyber threats.

For cybersecurity to become totally inclusive, it needs to remain robust, but flexible.

7.15 million disabled internet users in the UK have accessibility needs.

Revisiting the online shopping experience of customers with disabilities, and the cost to business of ignoring them, Click Away Pound Report

Quote Source.

Examples of inaccessible cybersecurity

We are dependent on essential digital services that involve our finances, healthcare and education. They each require robust security settings. 

Security tools like multi-step authenticators and facial recognition software are effective at keeping cyber-criminals at bay. But do they render websites inaccessible to users with disabilities? 

If you have rigid security measures, it may be making your website harder for vulnerable users to access.

There are multiple security measures that can be inaccessible:

  • Complex interfaces, unclear links, and warnings that are only audio or visual can increase human errors.

  • Color-based warnings like "red for high risk" and "green for safe" may be hard for people with colour blindness.

  • Without clear notifications when making a change, users may think they've set up a security control when they haven’t.

  • Removing accessibility features for security reasons might cause users to leave your website before checking out.

  • Worries about breaking assistive technology might stop users from updating their systems.

  • Security policies should be written in clear and accessible language.

  • Cybersecurity information should provide both audio and visual information.

  • Login systems should allow enough time and options for input.

reCAPTCHA tests were the second most common website issues faced by all respondents (63%) to the Click Away Pound survey (including those using assistive technologies).

Rick Williams and Steve Brownlow, The Click-Away Pound Report 2019 (February 2020), Click Away Pound

Quote Source.

How to make Cybersecurity more inclusive

Enabling accessible and inclusive cybersecurity requires a proactive and comprehensive approach that addresses technological and cultural features of online safety.

Here are some steps that businesses can take to create a more inclusive online environment:

Prioritise Accessibility within Cybersecurity

Include accessibility in the planning and strategy phase of your cybersecurity system, rather than adding it as an afterthought. Consistently review the accessibility of the system, products, and services you're implementing.

Flexible Security Options

Having a system that is more accessible should not mean it is more accessible to criminals. There are several ways to make your cybersecurity more accessible without compromising its effectiveness.

There is not a 'universally accessible' online security measure. One user's preferred method might be an obstacle for another. Provide flexibility so people can choose an approach that works for them and their specific needs. It can improve the resilience of your systems and prove a reliable backup.

Don’t compromise on the 'what’ but be flexible on the 'how’. You don’t need to dilute your security requirements to achieve accessibility, but you should be open to different ways of realising these requirements.

Accessibility as a cyber security priority, NCSC

Quote Source.

Education and Training

Provide comprehensive education and training programs that raise awareness about the unique cybersecurity challenges faced by people with disabilities. Train employees to design and implement accessible digital solutions and encourage empathy and understanding towards disabled users' needs.

Collaboration and Co-creation

Involve people with disabilities in the design and development of cybersecurity tools and policies. Businesses can ensure their products and services meet everyone's needs by considering various perspectives during the decision-making process.

Accessibility Testing and Auditing

Conduct regular accessibility testing and auditing to identify and address barriers in digital infrastructure. Collaborate with experts in accessibility and usability to evaluate the effectiveness of security measures from the perspective of disabled users.

Test your security where it may be challenging for vulnerable users and where human error is likely to happen.

Adoption of Standards and Guidelines

Follow established accessibility standards and guidelines, such as the Web Content Accessibility Guidelines (WCAG), to ensure compliance and compatibility with assistive technologies. Incorporate accessibility requirements into procurement processes and vendor contracts.

User-Centric Design

Prioritise user-centric design principles that focus on usability and inclusivity. Create interfaces and interactions with disabled users in mind. Think about things like different ways to navigate, customisable settings, and clear security messages.

Threats to Disabled Users' Cybersecurity

Disabled users remain vulnerable to a threats and risks online, despite efforts to promote accessible and inclusive cybersecurity. Understanding these challenges is essential for developing targeted strategies to mitigate potential dangers:

Phishing and Social Engineering

People with cognitive and neurodiverse impairments may struggle to discern malicious intent in phishing emails or social engineering attempts. Online criminals exploit vulnerabilities in cognition and perception to deceive users into divulging sensitive information or performing harmful actions.

Accessibility Exploitation

Malicious actors may target accessibility features and assistive technologies to exploit vulnerabilities in disabled users' digital environments. Malware or ransomware that disrupts screen readers can make it hard for visually impaired people to use the internet.

Device and Software Vulnerabilities

Many assistive technologies rely on specialised hardware and software that may be prone to security vulnerabilities. Old assistive technologies can be risky for disabled users. This is because they may not receive security updates. As a result, their devices and data can be vulnerable to exploitation.

Privacy and Data Protection

Disabled users' sensitive personal information, such as medical records or communication preferences, may be at heightened risk of unauthorised access or disclosure. Data breaches and privacy violations can have severe consequences for disabled individuals, including identity theft, discrimination, and loss of autonomy.

An accessible and inclusive digital world for all

Inclusive cybersecurity is not a luxury, it's something digital businesses will have to adhere to. Online accessibility is crucial, especially as we inch closer to the European Accessibility Act and WCAG 3.0.

It's essential to safeguard the security and dignity of all users across digital. By prioritising accessibility and inclusivity in cybersecurity practices, businesses can empower people with disabilities to navigate the web with confidence and security.

We can make the digital world safer for everyone by collaborating to solve the specific problems disabled users face on a daily basis.