The eternal struggle: Security versus users

Read the most important news and product releases from RSA Conference 2018.

security versus usersThere’s an old joke that a job in security is a safe place to be grumpy. From what I’ve seen over my career, that is often true. Security people seem to cherish their reputation for being pessimistic and untrusting.

Some take it further and cast their disdain upon the users, who obviously need to be protected from themselves. (As a side note, my mom always hated when we computer folk referred to their customers as “users.”) Hopefully a majority of us are more professional than this, but we still make it tough for our non-security comrades. Here are three big things security says that annoys people.

Don’t let confidential data leave the premises.

This makes sense from a security point of view. There have been some high-profile breaches, like the one at the NSA, where a worker took confidential data home and it was leaked out with dire consequences. We’ve also seen the same thing happening when workers attach sensitive files to email. Why do people keep doing that?

It’s simple: workers have a lot of demands to get their work done and sometimes they want to take work home. The reasons are many—taking care of a sick kid, catching up on a tough assignment, reducing a long commute. Also, there are times when they need to share data with others, and email is the most convenient way to do this.

But when they strike out on their own instead of using approved tools and methods (assuming they’re available), usually one of two types of thinking lead them astray. One: they don’t know better or don’t know how to work remote safely. This could be because they feel that if the system lets them do something, it must be okay. The second problem is when they think they know better and are sure it won’t cause any harm because no one is going to attack them.

Don’t click on links in email

Yes, they will click on links in email. I bet you do, as well. Is it realistic to expect them to be able to tell what’s fake and what’s real? Sure, there are some obvious phishes, but it’s getting harder and harder to tell. It’s a cybercriminal’s job to figure out new and better ways to trick people into clicking. They copy logos, register domains, steal certificates, and employ psychological tricks. It’s genuinely difficult to move people into a mindset of second-guessing every single email they get.

This is also compounded by the fact that email is a critical piece of modern business. We all use it all day long, so there’s a familiarity that promotes trust in the system. Plus, there’s also probably an expectation that the security people are screening out bad email for them.

You need to authenticate securely

Put yourself in the shoes of an ordinary worker. They’ve just dashed out of a meeting and have a few minutes to check email and call up a file before their next meeting. They need to log in, which means entering an 8-character password containing a combination of upper and lower-case letters that’s rotated every 3 months that they can’t write down. Okay, and after that it’s a two-factor login, so they need their phone. Now first, unlock the phone. Well, first hopefully they have their phone because sometimes they don’t always have it. Hopefully the login hasn’t timed out after all of this.

Yeah, yeah, most of the time this process goes fast and smooth, but not always. As a security professional, I still find myself getting locked out right after I’ve had a mandatory password change. And then there was the time I was offline because my phone got upgraded and the two-factor app stopped working (it took many calls to the help desk to get it going again).

Then there’s the lockout that fires off automatically if you haven’t touched the mouse or keyboard in ten minutes. Useful if you forget to log out, but annoying if you get a long phone call or are reading something intently. And of course, you have to re-log in all over again. Chalk these up to the modern inconveniences with technology however, many people consider them hassles foisted upon them by the “paranoid” security team. It’s obviously frustrating to enough people that there is a whole market for something called a “mouse jiggler” that keeps a system logged in and awake even if you aren’t using the mouse or keyboard.

What we can do about it

First of all, anyone not working in cyber security is likely to assume that security is not their job and they are not responsible for dealing with it. In fact, they are likely more focused on their direct job responsibilities and don’t want to deal with security systems that just get in their way. So, what do we tell people regarding security? There are two large leverage points to helping people manage the security controls: security awareness training and tool selection.

Reach them by teaching them

Security awareness training is a great opportunity to reach and interact with all parts of the organization. This is where you can really help them understand why you are doing things and get their buy-in.

Remember, the average person’s take on security: they have real jobs to do, and security isn’t one of them. You can’t expect a lot comprehension, much less retention. So, think hard about what you can realistically expect folks to understand and remember. When the security awareness training is done, it boils down to three key messages:

1. The security team can’t be everywhere all the time. Therefore, we need everyone to help protect our organization and our customers. Security will lead the effort, but we need our entire organization to help. Why?

2. Because the threats are real. There are cyber-criminals out there whose job is to rip us off. They make money when we lose money, and they’re very good at it. When we ask you to do something, it’s to stop them. And we can’t win every battle. Which is why…

3. If you see something, say something. When something looks suspicious, call security and we will take care of it. But we need you to speak up. See a funny looking email? Call the help desk and ask before you click. Got a scary pop-up message? Call us and we’ll investigate. Need to take work home? Call us and we’ll help make it happen securely.

At the heart of this is a clarification of their role in security. You want to reframe security as part of their responsibility to support the organization and your customers. Remind them that all of us are all working to serve our customers by protecting their data. The duty of custodianship isn’t just a policy statement, it’s a key part of the organization’s mission.

When you are explaining the threats, make things as concreate and relevant as possible. This means tangible examples that show exactly how an attacker would phish your people and how their stolen credentials would be used. Explain to them exactly how anti-virus software works and its limitations (it’s never going to be perfect, things will slip through). Show them how private information is traded on darknets. Use examples from your industry to show how your customers’ information is valuable. Talk about real incidents from your organization (sanitized, of course) to dispel the “that can’t happen here” attitude.

I’ve even shown statistics on number of network attacks and malware emails we block every day to show the relentless nature of cyber-attacks. Be sure to use threats and impacts that tie directly back to the organization operational model such as how a DDoS attack would cripple sales. You may scare people a little. That’s fine, as long as it’s not exaggerated or scare mongering. A little healthy but realistic unease can help make the lesson stick.

Give them the appropriate tools to work safely

Make sure the security controls align with business needs and be sure to educate users on how to use them. Find out what your people really need to get done and provide tools that will work. You know that a certain percentage of people will get things done one way or another. If you don’t give them an easy way to do it, they will do it their way, not your way. No solution is going to make everyone happy, but you can try with good usability testing and strong help desk support. You should make it easy and friendly for them to call for help.

We’re all in this together

It’s best to work with users instead of talking down to them, scolding them, or intimidating them into obedience. The message should always be that it’s us versus the cyber-criminals, not security versus the users. It’s a difficult battle stopping the breaches and hacks, and we need all the help we can get.