There are five words today that, when coming from any adult relative with minimal technical chops, are the most terrifying you'll ever hear: I clicked on this link... I doubt any one of us at some point in our lives has managed to escape the inevitable cry for help from a technically challenged relative after they've managed to turn their computing device into a festering pit of malware, Trojans, key loggers and other nasty infectious bits. Combine that reality (which needs no statistical shoring up but for the sake of completeness we'll note that phishing still catches 45% of targets) with the very scary research that says 51% of folks share 'usernames and passwords with friends, family and colleagues' and '28% admitted they knew the log in details for a friend’s, family member’s or colleague’s mobile'—a significant number of which likely write them down, in plain sight, store them in their ever-so-helpful browsers and stay logged in for excessive periods of time. It's no wonder that 61% of breaches in the consumer market occur due to identity fraud. Between phishing and sharing, security doesn't stand a chance. These consumer-related security stats should scare the pants off you because those consumers are your co-workers. I’ll let that sink in for a moment. The consumers who are beleaguered by identity theft and plagued by malware are the co-workers with whom you are partnered in the Sisyphean task of protecting corporate app, data and network from intrusion and exfiltration. These consumers are the people you've been working to educate and, if we're honest, who practice the less than stellar security habits against which you fight every day. One of the biggest challenges in IT security today is, in fact, the reality of BYOSP (Bring Your Own Security Practices). The consumerization of IT is more about commoditized apps, personal devices and a corporate laissez faire approach to both. An unfortunate side-effect of consumerization isn't that people aren't bringing just their own things; they're bringing their own (poor) security habits. Remember that several of the most recent (and high-profile) breaches have occurred because of stolen credentials. Is that any surprise given the consumer statistics related to identity fraud, phishing and sharing of credentials? No matter how strict or complex your password policy is, it is no defense against the voluntary sharing of credentials or the theft of them inflight thanks to a previously clicked link. There is a relationship between consumer security fails and corporate security postures. The more computing savvy consumers believe they are, the more likely they are to bring their own security practices along with their devices and apps to their corporate positions. The key word is practice. They're going to do what they've been doing for, oh, nigh unto most of their life at this point. They've got to unlearn and the only way to break bad habits is through practice. You've got to help them build new habits. That takes more than quarterly reviews of security policies. It takes more than just random internal phishing expeditions. It takes more than just periodic e-mail reminders or mandatory video-based training. It takes time and consistent application. Security practitioners need to find ways to engage, consistently, their consumer- co-workers in practicing good security in order to form the habits that will make them more secure at work and at home. Gamification, more random tests and more opportunities to practice will certainly encourage formulation of the security habits that will serve both corporate and consumer interests alike. Habits are formed by repetition, not reminders. While certainly reminders help reinforce what is learned, they cannot be the primary means by which good security practices are taught and encouraged in the enterprise. We have to be more active and vigilant in helping our consumer-coworkers form the good security habits they need to protect not just corporate resources, but themselves.
About the Author: Lori MacVittie is responsible for evangelism across F5’s entire portfolio including a broad set of network and application security solutions. Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine with a focus on applications and security. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
