A cartoon has been making the rounds on the internet for a long time. It depicts how all security technologies and efforts can be undone by “Dave” the ‘stupid user’.
I can’t think of many (well no) real industries that treat their users, peers, and customers with the same level of disdain.
Imagine the automotive industry pushing a similar message. ‘On one hand we have seatbelts, ABS, airbags, five star safety features… and on the other hand we have dumb drivers.’
Or a gym stating, ‘We have personal trainers, protein shakes, free weights, machines, exercise classes… and on the other hand, we have lazy people that just want to binge watch shows and eat pizza.”
Maybe a college could claim, ‘We have the best teachers in the world, pity about the unruly students.
No, seriously, I mean, governments have been overthrown for a lot less. I’m frankly quite surprised there hasn’t been at least some level of civil unrest where an unruly mob surrounded the IT Security department, only to be dispersed by the CISO, dressed in full riot gear with a water cannon.
While most security advice for users is all well and good, it is far from practical for the vast majority.
How do I know this?
Well, after giving out security advice for most of my career, I recently found myself falling short of much of my own advice.
Our CISO at AlienVault, John McLeod, is a very nice man. But I did feel the urge to shake a fist at him a few days ago after I fell victim to a rather clever phishing email he’d sent out as part of an awareness campaign. It was well-crafted, had no grammatical errors, and in my haste while on my phone, I clicked on the embedded link.
There goes my perfect record of not falling for a simulated phishing email.
Then I was hit by a second surprise as I was informed by a service provider that my account had been disabled due to my credentials being found in a breach. I was grateful to the service provider for informing me, so I went about diligently changing my password, when I realised that this provider also had two-factor authentication which I had not enabled.
I then spent the better part of the next two hours changing old passwords (I may have reused a couple), enabling two-factor authentication wherever it was available, and doing a search for all my various credentials on haveibeenpwned.com.
It made me realise how security still has a long way to go in perfecting its user experience. Creating products that users genuinely find useful, usable, credible, accessible, valuable, or even desirable.
But most of all, it made me realise, that while I may work in IT Security, I too am Dave.