House of fun
A few weeks ago I attended an out of town event where I knew only the hosts. Inevitably, this type of situations leads to small talk on topics like weather, family, and what everyone does for a living. When it came to my turn to be asked “So, what do you do for work,” I replied in the most generic way possible: I work in cybersecurity. Given that cybersecurity (and not information security, IT security, or just “security”) has become part of the vernacular, I figured this was safe and everyone would say a few nice things then we’d move on to the next person, as was the case with everyone who answered before me.
Not so much. Reactions started with, “wow, that’s interesting/different/scary,” and progressed to, “I have so many questions, but I don’t want to make you talk about work during a party.” Because I knew almost no one, and we were on a boat together for hours with a limited number of topics than can be carefully navigated among strangers, I said I’d be happy to answer any questions people had. Immediately people began asking about passwords: Why do they have to be long? Is it really bad if I write all my passwords down or store them in my phone’s files? So what if someone gets into my account?
These non-tech people didn’t seem to care all that much about stolen personal information. Credit cards can be replaced at no expense to the consumer. Everyone receives so much spam that it’s hard to notice if one’s email address has been stolen, bought from a third party, or provided by the owner on a whim. Companies do so much account profiling that it’s no longer weird or creepy to see targeted ads in email, on visited web pages, or even TV. And to top it off, no one at the party had had his/her identity stolen or a bank account drained, which I imagine would have changed the tone of the conversation.
I explained how having one’s accounts compromised, credit card stolen, or personal information pilfered from the dark web or some paste site could lead to identity theft, disappearing funds, or a myriad of other horribleness. Though no one liked the idea, per se, it still wasn’t enough to incite dedication to improved digital vigilance. So I tried another tack: I showed them how my password manager works. With the scan of one finger, I gain access to all of my sites without having to know any passwords! And all of those passwords are as long and random as each site/service/application will allow! Now this earned everyone’s interest. It’s that easy? I don’t have to think up or remember my passwords? OK, just one long one—what’s the best password to use to gain access to all the rest? Do I need to set up the password manager on every device I use?
Next I showed off my VPN and how easy it was to install (only a few clicks, limited information typed into a form) and use. Everyone loved how, when I turned it on, the icon on the screen moved from my present location to somewhere else before connecting. Not a foolproof solution, I admitted to the gorup, but an extra layer of security that’s also kind of kind of fun in a gamification way.
Immediately when I started talking and showing convenience and fun, everyone was interested. That it also helps people stay more secure—added bonus. While non-techies care less about cybersecurity than those of us who work in it, or less than the businesses they work for (which may face serious fines, disruption, loss, etc. in the event of a compromise or breach), convincing consumers/employees to practice better security improves security for all.
This is not a kumbaya moment by any means. For years security practitioners have been offering security awareness and training. Several years back the focus was on employees’ kids and how doing better at personal security could help protect one’s kids when online. Then it turned to shame and fear: clicking on a link in an email could result in malware that could affect the whole company and you could be fired. Plenty of different tactics have been used over the years, but personal security has made only small strides because—who cares about infosec anyway?
Security pros can’t expect anyone to care about or practice security in the same way they do (and I’ve run into more than one practitioner who admits to connecting to free WiFi at times or downloading unapproved App Store apps). That said, the focus on security for security’s sake isn’t gaining us ground fast enough to make an immediately noticeable dent in our companies’ security postures. Many of today’s security awareness and training programs are more akin to being told to (as a young kid) eat your vegetables than they are to being invited to a BBQ with all people you know and like. Yet I experienced a touch of the latter when demonstrating a password manager and personal VPN during a somewhat awkward social gathering.
This type of awareness “training” isn’t a seismic shift, nor am I the first to try this approach. It seems to me, though, this type of direction is needed more in corporate programs, even when the goal is to protect corporate systems. The difference is the focus on ease of use and amusement than security. To the average person, security is an added step, an inconvenience, extra somethings he or she needs to remember. With today’s tools and techniques, it’s easier than ever to make end user security more pleasant, less “do I have to?”
Convincing employees, friends, and colleagues to start thinking about security without really thinking about security won’t solve all of security’s problems, but it will move the needle forward in that area, providing more time to focus on larger issues.