Security Summit: Security practitioners the weakest link
The easiest way to get people to stop trusting anti-virus protection is to tell them how flu vaccines work. If you pick the wrong vaccine sample and you inoculate the entire population with 'round A' instead of 'round B' vaccines, everyone will get sick.
This is according to Jessy Irwin, security expert and former 'security empress' at 1Password, speaking today during her keynote address, "Exploring the weakest links in security", at ITWeb Security Summit 2017, at Vodacom World in Midrand.
Irwin explained that in an attempt to beef up IT security, many organisations focus on building and maintaining highly-sophisticated technical systems; however, this method is turning out to be the biggest cop-out in information security.
"Security teams make the mistake of approaching human problems with highly technical solutions - as a result, the needs, knowledge and experience of the average user are rarely taken into consideration, setting up those people for failure when they face security-critical tasks.
"When a major security incident hits the news, security practitioners are quick to place the blame on users and shout from the rooftops that humans are the weakest link in security," she pointed out.
Security teams, she explained, should avoid externalising risk to users, and introduce actionable strategies that help users become an extra line of defence when they are needed the most.
"We give users conflicting advice on how to approach password security - one Web site says one thing and the next says another. Our users don't have a way to figure out what's right and what's wrong and it's really not their fault."
Social engineering, she noted, also confuses online users. It tells users all the time that spear-phishing, watering hole attacks and practically anything that has a link or an attachment is a problem.
"As a result, users have to do a lot of work to figure out if their e-mail attachment is bad or good. And if they don't know the difference between an EXC file (a source code file) and a DOCX file (Microsoft Word open XML format document), they will just click on it.
"We put a lot of burden on users, when they have to validate that the e-mail link they've received is safe, before they click on it. That's a lot of extra time wasted and for the most part, our users are not going to do all that work," asserted Irwin.
A good way to make security work better for all human beings is to have a lot more proactive communication with users, and provide them with the important information they need, before they have to make a security decision and not afterwards.
"Another thing we need to be good at doing as IT security experts, is ensuring users get continuous support and positive reinforcement. One of the hardest things to do is to take someone who doesn't understand technology, and make them care about all these security rules without setting them up for failure," she concluded.