Runaround Sue
While most of the U.S. is focused on did-she-or-didn’t she as it relates to Hillary Clinton’s private email server and the rules Clinton may or may not have broken, new emails from also-former Secretary of State Colin Powell highlight a well-known but persistent information security problem: When usability and accessibility are in question (and when aren’t they, really), end users will always seek out shortcuts that make their lives easier.
Wise security practitioners understand and acknowledge the problem, but to a large extent, the industry still throws up its hands when “sneaky” end users don’t follow secure protocols and when they find paved paths around security processes or controls. When discovered, the security practitioner’s immediate reaction is, “That person is compromising security! He or she is putting our organization at risk!” And while technically that might be true, most end users aren’t dealing with State secrets and don’t view risks in the same light as the security team. Even when the stakes are understood, to a large extent, end users consider using devices and navigating the internet as they do crossing the street: “Sure, there are all kinds of cars and trucks and buses on the roads that could run me over, but as long as I stay in a crosswalk and abide by traffic signals, my chances of getting run over are pretty slim. And after all, I can’t stay on the same side of the street forever. Gotta get stuff done.”
Here’s my story, it’s sad but true
Mobile devices, ultimately, are convenience devices. They were created for the sole purpose of making users’ lives easier and more efficient. For the earliest smartphones, security controls had to be Mod Podged on, leaving any information stored on or flowing through the device leaking like a sieve. As time wore on and security practitioners pounded the security drum, pointing out the inadequacies of this method to manufacturers and carriers, security crept into the equation. Slowly but surely, security begun to be a selling point. Apple and Google stepped up their security games, with Apple yelling, “encryption!” at the top of its lungs and Google vowing to shame any insecure internet connection.
“Security from the onset” signals an important turning point in consumer devices; tech companies are taking the lead and including security in the design of many products, much in the same way rearview mirrors or accelerator control systems have been mandated in the manufacture of all modern vehicles since 1968 and 1973 respectively. Security, though, is somewhat objective and certainly a matter of degrees, and even the most conscientious- and rigorously-designed product still faces myriad challenges. Just like a driver could stick Duct Tape over his rearview mirror or monkey with the accelerator controls, many ways to sidestep implemented device controls exist. Especially when it comes to accessing cloud services, today’s end user has more insecure options than ever before.
So if you don’t want to cry like I do
Every rule has a gaggle of associated rule breakers, and as more and more of our lives are indulged by new technologies, it’s going to become correspondingly challenging to secure those technologies and block the various paths users take to avoid the inconvenience of security. Most individuals won’t have the ability to set up his or her personal email server, and most wouldn’t want to anyway. As long as convenience is a factor and ways to skirt kludgy controls exist, end users will choose that option. Sometimes that means disabling settings or establishing “one account to rule them all,” and sometimes it means copying and pasting or downloading or jailbreaking…the possibilities are endless at this stage of the game.
One key is to return to a focus on system administration and put controls around the data. The industry talks about it a lot, but too many breaches are indicative of the fact that that isn’t happening regularly and consistently. Another piece is for developers to put even more effort into making security as inseparable from the product or service as possible. A manufacturer can put a seatbelt in a car, but neither they nor car dealers can make drivers or passengers use them. If it’s convenient to wear a seatbelt, though, and the return on doing so is both known and high, there’s a better chance people will use them. In fact, according to the National Occupant Protection Use Survey, the average nationwide seatbelt usage rate was 88.5% in 2015. If information security can start to take a similar approach and make security a “no brainer,” mobile device end users will stop thinking of ways to avoid what practitioners are trying so hard to implement.