I’ve seen a huge number of changes in cyber security since I began working in the industry (more years ago than I care to remember). Through the years I have seen paradigm shifts in the way cyber criminals operate and the way we as an industry are working to fight them.
Among all the change, one issue has remained a constant – the perception that compromises need to be made between security and usability. Time and again we come up against the idea that there will always be a trade-off between these two conflicting imperatives – how we work efficiently while staying safe as we do so.
I would love to be able to say that this is a misperception and that with some easy tweaks and changes, we can all be working both intuitively and securely. Sadly, however, the situation is not that simple.
What’s the problem?
One way in which this typically manifests itself is the onus placed on IT users to install software updates to ensure their systems work as smoothly and safely as possible. This does not sound like it would be a huge problem for the cyber security industry, but it often is and the reasons why it is so problematic are worth investigating.
The challenge was highlighted recently with an issue experienced by some Microsoft Office users. A component of Microsoft Office, MSFT Equation Editor has been subjected to a number of different exploits against a variety of vulnerabilities in its lifetime. Rather than try to keep fixing it Microsoft decided to issue a “patch” which, in essence, uninstalls it from a system entirely.
One could be forgiven for thinking that this would resolve the issue but sadly, it has not.
Despite Microsoft’s best efforts, problems have persisted, predominantly because Microsoft is not able to do the one thing that we know would successfully fix the issue – actually compel users to install the patch.
Microsoft has provided simple instructions and multiple warnings to users which should, in theory at least, give them reason to pause and stop running the risk of being hit by malicious documents. We all know, however, that theory is very different to real life and in the real world warnings are not always heeded. In this particular instance some people are still disregarding information, clicking through multiple warning dialogs and leaving themselves open to attack.
There are also, of course, people who are running pirated copies of Windows and/or Office and are not receiving these updates. One way or another, too few users have been installing the patch and as a result the problem still persists in the computing environment.
This is absolutely not only a problem impacting Microsoft users. It is an issue that all of us face and which shows no sign of abating.
Solutions must put the user first
We hear a great deal about how employees are an organization’s single biggest security risk. We also know that employees often fail to update software as needed and that this is a common way to leave networks and devices open to hackers. System updates and upgrades tend to be carried out not only to modify the usability or design of the program, but also to add new security features to protect it from potential hacks. As we’ve seen above, they can also be implemented to address serious vulnerabilities.
Why don’t users do as they’re asked?
When it comes to updating software there are a range of reasons why people fail to do so when asked. In 2016, researchers from the University of Edinburgh and Indiana University surveyed 307 people to discuss their experiences of installing software updates.
Nearly half of them said that they had been frustrated updating software; only 21 percent had a positive experience to share. Sometimes the frequency of updates were a cause for frustration, one participant noted that Windows updates are available too often — always the second Tuesday of every month, and occasionally more frequently. Sometimes these updates can take a long time, but even when an update is short it marks an unwelcome hiatus in the working day and an interruption of a user’s regular workflow, so people will often avoid installing updates for as long as they possibly can.
Problems typically arise because users feel that in order to effectively get through their to-do list, they simply don’t have time or the inclination to scrutinize the warnings they are given or install the necessary updates. There are a huge number of computer users who don’t fully understand what warning dialogs are really telling them, or what the consequences could be if they fail to do as asked.
What does this tell us?
As an industry, we already know that busy, distracted or reluctant users will often not do as we advise, but most of us have, sensibly, moved on from bashing our heads against a brick wall and expecting wholesale behavior change. It simply won’t happen.
Security solutions cannot look at software and IT processes in isolation. All organizations must take a truly holistic view of the way their users interact with their computer hardware and software and work with what they have, not with how they wish things were.
We now pretty much always work on the assumption that traditional security barriers can and will be breached. This is not defeatist, it’s realistic and the only way we can deal with the panoply of threats all organizations can and will be subjected to.
As a result, cyber security now works with, rather than against IT users as that is the only way we will see true progress in our fight against cyber criminals.
As an industry, we are now focusing our efforts on working as closely as we can with those who are at risk of falling victim to cybercrime. We do this by disseminating information and practical advice to all users, while acknowledging this may not always be taken on board. More importantly, we are also working hard to actively predict cyber criminals’ next steps to ensure fewer IT users are impacted by their activities. Our goal is not just to prevent breaches, but to detect and stop them before major damage is done.