October is here. Since Halloween ends the month, the cybersecurity industry spends the rest of the month scaring users with all the ways they cause problems. We tell them if they were only a bit more aware, then cybersecurity would be a solved problem.
If only it were that easy. In the words of Professor Nancy Leveson, Human error is a symptom of a symptom in need of redesign. So this National Cybersecurity Awareness Month guidance is aimed, not at users, but at all the security professionals who give out quick fortune-cookie advice, pointing out why those trite answers aren’t as easy for everyone as we’d like.
Don’t Click Anything (But Really, Don’t Click Anything)
Sorry to start out with a touch of dry humor, but that is the normal wording our industry uses. We tell people that when they click on that link in email, it’s their fault if it leads to a breach. If only they didn’t click! But have we considered the complete lack of security in the email and client infrastructure? I could send an email from TotallyABogusAccount@scaryhostingservice.com, but claim to be from “President Joe Biden.” Both of those pieces of information are available to your mail client, but most clients will show the user that the mail is from the President of the United States. And then, if the user clicks a link (which, if they want to get paid, they’d better click the link when Finance sends them onboarding mail), bad things can happen, because the link gets sent off to the operating system handler, which probably dispatches it to the default browser, where it has access to the user’s login cookies.
Want to build a safer enterprise? Make it safe for a user to click any link that gets to them.
Just Use Multi-Factor Authentication (MFA)
This is great advice in an enterprise, and really painful for a lot of end users. What’s the difference? Bootstrapping. If an employee loses their phone, then they just need to talk to the helpdesk, who can set up their new phone as the MFA device. Lose your phone as a consumer? You may be locked out of a lot of accounts for a long time. Businesses don’t really know who you are, and calling them out makes you sound like an adversary trying to steal an account. Sure, we can tell users to store backup codes (although that conflicts with “don’t write down passwords”), but how many, and for how long? Will they even be able to find them later?
Want to make MFA work well for your consumer business? Identify how you’ll deal with re-provisioning bootstrapping for that MFA device.
Don’t Write Down Passwords, Don’t Reuse Passwords
Only one of these two pieces of advice can be helpful (I’m a fan of “don’t reuse passwords,” so much so that I try to limit email address reuse). But for years, we’ve told people not to write down their passwords, which is inconsistent with asking them not to reuse passwords. Password managers exist, but I’d happily be in a world where people wrote their passwords in a notebook (especially when you think about legacy planning), rather than using easy to remember passwords. I just checked one of my password managers, and it has over 300 distinct passwords in it. I’m not going to remember new passwords.
Encourage writing passwords down, at least until you eliminate them entirely. For enterprises, you should be looking at X.509 certificates combined with an MFA token, and leave passwords to the consumer industry.
Turning Tricks Into Treats
The next time you’re inclined to blame a user, ask how the system they were working in made it easy to do something risky, while making it hard to stay safe. And spend your energy focusing on reducing risk, not berating users.