When we think about security, we tend to look it from the perspective of a war: it’s us (the good guys) against them (the malicious hackers, crackers and attackers). On one level, that’s exactly what it is. But that’s not all it is. This is a battle that must be waged on multiple fronts, and while we’re focusing on keeping the criminal hordes outside of the network castle, we must also be on guard for the dangers posed by the enemy within.
We all know that insider threats pose a tremendous risk to our organizations, and many security experts classify this as a bigger problem than that of outsider attacks. According to an article in the Harvard Business Review last September, “the role that insiders play in the vulnerability of all sizes of corporations is massive and growing.” And while many such articles focus on malicious or “rogue” employees, the HBR reminds us that human error is is a major factor in many breaches.
Never underestimate the ingenuity of workers whose objective is to make things more convenient for themselves. It’s not malevolent intentions that drive most violations of company security policies. Laziness occurs on the admin side, too. And when you have both lazy users and lazy administrators, you have the recipe for a perfect storm of security laxity that leaves your organization vulnerable to those who do have evil intent.
The security/convenience continuum
For those of us whose jobs are focused on keeping attackers and malware out of our networks and keeping sensitive information confidential, security is the top priority when it comes to configuring and using computing resources. However, it’s important for us to remember that to the average user, whether performing business or personal tasks, getting it done quickly and easily is the most important thing.
Security and convenience exist, for the most part, on opposite ends of a continuum. In general, more security means less convenience, more frustration and a longer time required to accomplish the same thing. Some would go so far as to say convenience is the enemy of security. This applies to both physical security and software-based computer/network security.
Anyone who has ever worked in a high security environment knows what a pain it can be to deal with complicated password requirements, multi-factor authentication, and being barraged with security questions to which you may or may not remember the answers.
Even security experts sometimes get tired of jumping through hoops just to access a document or check email. When you’re technically savvy enough to know how, it’s awfully tempting to bypass some of those annoying security measures “just this once” for the sake of getting your work done in a more timely and less exasperating manner.
These are the people (you and I) who know very well how prevalent the threats are and how catastrophic the consequences of a breach can be. If security measures are so obstructive they cause us to consider circumventing them, you can imagine the frustration of less security-conscious users.
Too much security can result in not enough security
Many organizations are caught in a vicious security/convenience cycle. Their security assessments show that they’re at risk for exposure, so they tighten security restrictions. The tightened restrictions make it difficult for their users to get their jobs done, so they look for (and often find) ways around the security measures. This causes the IT department to double down on security, and so forth.
We’ve seen this at work in regard to password policies. Companies create policies that are intended to make passwords uncrackable, such as: minimum 12 characters, must contain upper and lower case letters, numbers, at least one symbol, no dictionary words – and then require that users change their passwords, meeting those same stringent criteria each time, every four weeks.
What inevitably happens? Users, frustrated at their inability to remember these ever-changing non-intuitive passwords, write them down. And of course since they must refer to the note frequently because the policy requires that they authenticate every time they log onto a resource, and the system logs them out periodically, they keep the written record in a convenient place, such as a desk drawer or on a note paper tucked under their keyboard.
No technical password-cracking skills are necessary for someone with nefarious intent to discover that oh-so-secure password and gain full access to the network as an authenticated user.
In another example, the organization prohibits employees from accessing the corporate network from a remote location. Then they when burden the workers with tight deadlines that must be met, and those workers know that the only way to meet them is to take their work home, they do things like copying the files to a USB stick or SD card, probably not bothering to encrypt it, creating more likelihood of a data leak than a VPN connection to the company network would have posed.
Due to this natural human propensity for finding ways around obstacles to convenience, companies struggle to strike a balance and find that middle ground that provides protection against hackers and attackers, that users can live with.
What’s the solution?
In order to strike that balance, when you design your security strategy, you need to take into account the normal inclination of users to seek out the path of least resistance. There is a point at which the number of steps or the difficulty of those steps in the security process becomes a motivator to bypass security.
Time is an important factor. Think of it this way: If you have a line of people waiting to get into a concert venue, it’s not usually so much the cost of the ticket that causes some to try to sneak through the hole in the gate as the desire to get in quickly, without standing in line for an hour. Anything that slows people down – particularly those with high-pressure time-sensitive jobs – is an invitation to security circumvention.
Being able to recognize what security steps users can easily adapt to and which they can’t, you’ll need to actually talk to the people who do those jobs and must work within those policies. That seems obvious, yet many policymakers never ask for the input and opinions of those who have to live most directly with the consequences of their decisions.
You may find that a multifactor authentication system that combines two relatively easy steps – such as fingerprint or facial recognition combined with an easily remembered PIN – works better and provides better security in the overall scheme of things than one more complicated step, such as entering the complex, ever-changing password mentioned above.