Security Versus Convenience
It does not take much time browsing the internet recently to find an instance of a cyber breach, data theft, invasion of privacy, or to read the expectations of an impending threat. Just Google what the FBI director told Congress recently about the threat that China poses to our critical infrastructure.
I often find that we are also concerned about security and privacy in our personal lives. Family and friends always ask me about ways to keep their accounts, home cameras, etc. secure. Yet when it comes to the workplace, these same people don’t seem to think about security. I guess they figure if someone else is worrying about it, they shouldn’t. This is extremely problematic because the users of our systems are one of the most popular vectors through which potential hackers can attack.
I recently read something simple that put much of this into perspective for me, and I believe it makes a great starting point for any discussion about cybersecurity at work.
I read the simple question, “What is the opposite of security?”
The answer is convenience. It is such a simple and obvious question and answer, but we don’t often address them up front.
In my environment, we instituted Two-Factor Authentication (2FA) a couple of years ago. To this day, I still hear a complaint at least once a week of someone being annoyed that they need to use it. I realize that the person is annoyed because they are being inconvenienced. It slows down their work and interrupts their flow when they need to stop and grab their phone in order to approve the authentication. This realization opens a pathway for a discussion that everyone can learn from and apply to every mitigation effort we take in cybersecurity.
In the case of 2FA, the IT teams should carefully explain to our customers what this second form of authentication does. It prevents someone from accessing your account, even with your full credentials, because they don’t have that second form of authentication.
This point can be emphasized by showing how many passwords and usernames are on the dark web for sale. We can then listen to these same customers when we ask them whether the benefits reaped by 2FA (securing your data and the data of everyone in your work system) outweigh the inconvenience. In most cases, a reasonable person will agree that the benefits outweigh the inconvenience.
Compare that with a discussion we had with our security team while planning the construction of a new building. The director wanted all the AV equipment (including the computer, touch panel and mics) locked in a closet in the room. When someone wanted to use the system, they had to ask to have it unlocked. After some discussion, we were able to all come to the same conclusion: The benefits of that security did not outweigh the inconvenience.
These types of discussions about security should take place all the time, and that includes our AV systems. It is amazing how many of us will answer the same questions differently depending on our culture, budget and environment.
In conference rooms across the world, cameras and microphones are ubiquitous. In many conference rooms, the convenience of walking in and pressing a single button to turn everything on may outweigh any privacy risks. However, passwords or card scans may be needed in hospitals and corporate offices to turn the microphones and cameras on. That inconvenience may be worth not risking people listening without people in the room being aware. In some of these conference rooms, a dedicated computer may be a great solution for people who want to show websites or give a PowerPoint presentation. However, in others, the risk of logging into a shared computer may not be worth the convenience. In those cases, people may be expected to use their assigned laptop.
All of this may be a lengthy way of saying that the best cybersecurity relies on excellent communication with the people using your systems. Often, security is viewed as IT putting roadblocks in the way of people doing their work. I think this is because we (IT) don’t do a good job of explaining why we are putting levels of security in place and what exactly those levels protect us from.
Additionally, we may not always do a good job of listening to our customers and weighing their inconvenience against what we think is being protected. Yes, sometimes IT does just put up roadblocks without a great reason, which is as dangerous as no security because our clients will likely just find a workaround that is much less secure.