Weekly reports tell us that user negligence is to blame for the vast majority of security breach incidents. The CERT Insider Threat Center determined that most security incidents initiated through phishing and other social engineering are carried out by acquiring and misusing user credentials to secure systems.
The challenge is that users are indeed human. They are flawed, they are careless and often exploited. Users (computing) are in fact defined as “Those that generally use a system or a software product without the technical expertise required to fully understand it’.
Working as an IT administrator you can be sure the favorite things you hear a user say include:
“So I installed…”
“Here, use my account”
“What would happen if I hypothetically did it?”
“We wanted everyone to use the same password because they forget it all the time”
And, “Oops, I did it again…”
Not everyone is listening
To address the human aspect of security, we know that better education must be part of the solution. If a user is given the tools to truly understand why they are being asked to work and behave in a certain way, that sense of frustration and inadequacy they may have felt previously could well be alleviated;
Clearly, not everyone is listening to the security education experts. But have we stopped for a second to consider that if people aren’t taking the advice of the professionals, maybe the advice itself is flawed?
IT security experts try extremely hard to push people down one way of thinking. “Don’t share passwords”, they say. “Don’t re-use passwords across multiple applications,” they add. But what many of them forget is the cost to the user of adhering to each of those pieces of advice.
Let’s analyze the first piece of advice: “Don’t share passwords.” This is now just the world we live in. These days, to most people, the convenience of accessing data quickly is more important than securing data. Yes, there’s an education piece to be done there by security advisors around the dangers of password sharing, but in the hustle and bustle of everyday work, where employees barely feel like they get five minutes to sit and breathe, it’s no wonder they cut corners to get the job done.
To them, getting the job done is far more important than considering the minute risk they may pose to their business or their data by cutting the odd corner, especially if they share passwords with just a trusted group of people.
Now let’s analyze the second piece of advice: “Don’t re-use passwords.” What, so we expect people to remember tens of unique passwords, each containing a mix of uppercase characters, lowercase characters, numbers and symbols? Employees manage around 27 unique passwords — that advice is simply not practical.
It’s at this point that most people start to ignore the advice of cybersecurity advisors. They don’t believe the danger is real, and the advice is not practical modern digital world anyway. It’s a bit like children ignoring what they see as their overprotective mother who doesn’t understand the real world. And that’s when breaches happen. And we get to say, “We told you so” and “Education is key”. And “get down off that stool, it’s dangerous.”
We must accept that employees aren’t going to change their habits in a hurry, no matter how much you try to scare them into doing so. We live in a world where convenience and simplicity is so important, and the advice the industry has been giving doesn’t always support the way workers want to get on with their job. The industry has been touting the same “education” message for the past 10 years, and quite frankly, if it’s not worked by now, it’s never going to work.
François Amigorena is the founder and CEO of IS Decisions, and an expert commentator on cybersecurity issues.