Analysis Tech

Why do we suck at cyber security? Part II – convenience

This is part II of the why we suck at cyber security series. You can read Part I here.

Part II update: Yup, we’re still screwed
It’s not getting any better out there. Food for thought: 2017 saw a record-breaking number of vulnerabilities, setting the new high at 20,832 (hooray!). I can’t wait to see what the 2018 number will be.

I’ve said it before, and I’ll say it again: cyber security is a direct contradiction of convenience. This simple fact leads to a lot of the security problems that we all hear about on a monthly — sometimes daily — basis. It’s important to remember that shortcuts (convenience) generally work both ways; tracers tell you where you’re shooting, but it also shows the enemy exactly where the bullets are coming from. In the cyber security world, every element that makes accessing your information more convenient for you, also makes it more convenient for adversaries.

Yes, it’s convenient to use the same password for every site you make an account with. Yes, it’s convenient to just have a username and password to login to your bank sites and not require all sorts of two factor steps like clicking a link in your email or a code that gets sent to your phone. Yes, it’s convenient to have a password that’s a single word with no special characters. All of these things are also incredibly insecure.

cyber security scam credit card.png

On the other hand… Sure, we could just program everything to be perfectly secure and require your social security number, mother’s maiden name, first dog’s hair color, and that childhood secret that you’ve never told anyone to gain access to it, but I wouldn’t want to log into anything ever again.

The problem arises
That’s where you hit a catch 22. From a business standpoint, if you keep everything as secure as possible and limit the methods in which your users can access your site or application, how are you supposed to keep drawing new customers when your competitor makes things easier for the consumer? So, it’s partially our fault; we want things to be easy and convenient. I’m not naive enough to expect users to sacrifice convenience for security that can’t very well be measured, but I promise you that the current state of cyber security will not change much if users do not start valuing the security of their own data and leaving it entirely up to the business.

I am by no means putting the security mission solely on the consumer — the new record for vulnerabilities in 2017 highlights how it is absolutely the creators’ fault for the security lapses of today’s products, whether it be Facebook, Microsoft, Apple, or Experian. However, it is entirely up to the consumer to decide how far one breach can go. From password complexity and strength to ensuring that no single breach will compromise multiple accounts; it’s all on us. Everyone has a role in cyber security — don’t take it lightly.

Images courtesy of Pixabay.

2 comments on “Why do we suck at cyber security? Part II – convenience

  1. I am a fan of the two factor authentication. Makes me feel a little more protected. Alex, what are your thoughts on the clouds, such as the iCloud? To your knowledge are these sites secure? And my last comment, I received the follow email from Amazon this week “We’re contacting you to let you know that our website inadvertently disclosed your email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.“. Do you see any potential issues?.

    • Alex Green

      Two factor authentication is great. There have been some fun vulnerabilities with the various methods of multi-factor, but that is a separate discussion on its own. Cloud environments can be a tricky thing. For the cloud to be functional, you permit access for a number of apps and systems to use your cloud. With that, the weakest link becomes those approved vectors. So, a vulnerable computer or phone (that is already connected to the cloud) may be maliciously leveraged to exploit that connection and take advantage of files that you would presume to be protected. On the other hand, you are trusting the cloud provider to adequately encrypt and protect your information. Ideally, a breach of the cloud would only expose your encrypted files and thus be useless to an attacker. However, the decryption keys have to be kept somewhere….

      Regarding Amazon, it was a glaring mistake on their part to expose that information, but I agree that it wasn’t a “breach”. Fortunately, as it appears that the only information expose was name and email, there is not too much to be concerned about. There may be an influx of phishing emails associated with that collected information, but as Amazon is not sure how long the exposure has been in place, it’s difficult to say who harvested it or how they can leverage that information.

Leave a Reply

%d bloggers like this: