Wednesday, August 17, 2016

Make Security and Privacy Awareness ubiquitous

"Yeah, let's create a page and put all information there that our users and/or customers need to stay secure!” Sounds familiar? Do you have a so called awareness page somewhere on your intranet or website? But are you suffering from lack of traffic, or at least, a lack of success of that page?

In my recent post “Need Security Awareness? You're doomed!” I talked about that Security Awareness is the last thing you should focus at (I was overstating that on purpose of course). For the worse part of it, with awareness you are depending on the weakest link in the chain, and that are humans. And humans have proven to be relentless in not following guidelines whenever they feel they need to. So how we can inspire to follow the guidelines? Well, with proper awareness...

I think that there are two fundamental principles that needs to be taken into account with awareness. First of all, do not only tell how, but focus on why. And when you tell it, tell it when it happens. Tell it when there is a change! I will zoom in on those two principles, but first I want to make another difference. There are also two types of awareness. One is about Security and the other is about Privacy. A good understanding of the differences of these two types will help you in telling why and how.

Example with thanks to Bob

A customer, let’s name him Bob, logs on your website and decides he wants to change his password. He goes to his accounts settings and to the tab about his passwords. He just sees two blank fields, fills in the same password as his e-mail account twice and hits the button OK. Some algorithm approved his password, as it is complex enough. Say something like: Th!s!sN0tMyP@ssw0rd. It is long and difficult. Right?

Two things failed here. First of all, he re-used his password and his password is anything but complex. It is probably far from ‘unique’ (for as far that it is literally possible) and likely ill-often used and present in password-guessing tools. But there is a third thing that failed tremendously. The chance for an effective awareness message presenting to Bob has not been given.

What if there was a message like below, before Bob could change is password?

When choosing your password it is important that you choose one that you do not use with other services. It is possible that your password gets stolen through another service than ours, but that it is being misused on our service. Your privacy is then compromised and that is something we really want to prevent. To remember all your passwords you can use a password manager tool which will help you better protect your own privacy. Click here to see our central privacy protection page to learn more.

And then present the form to change the password. Chances are that he will not re-use a password. It is not a 100% guarantee, but it has higher potential than saying nothing. Why? Because you tell why (it’s about privacy), you tell how (that’s about security) and you tell it when it matters (when the change happens)! I strongly state that this type of awareness is more effective than a distant page.

But what about Th!s!sN0tMyP@ssw0rd ?

And this is where we need technology to help our colleagues and customers (instead of failing awareness). Implement good filters and regular expressions to enforce a good password policy, but also check it against often used passwords. Also prevent (whenever possible) the use of compromised passwords in combination with the name of the account. Just do not tell the user how a password should look like, but help him or her with it. It’s far more effective!

I am not going into the debate now what the complexity of a password should be. But I rather have it unique and long, than complex and shorter. From a computing perspective, no combination of characters is more complex than another combination of characters. The password ‘A Purple Bunny is swimming in the Ocean’ is more likely to be secure than the example of Bob. Why? Because it makes no sense to people building brute-force algorithms and it has more characters. And it is easier to remember and therefore chances of it being written down are slimmer.

Next step is deleting the awareness page?

Now I am not stating we all should deleting our awareness page, and move to a system like a described above. It’s smart to have a page which contains all the important details combined together. Sometimes people do get interested and it would be a wasted opportunity to not satisfy their information hunger. Let these two co-exist, but focus your time and energy in making awareness training ubiquitous. Make it present everywhere it matters.

Oh, and try to avoid the word awareness. It says something about a person not having something (you are not aware!) then that it is about gaining something (better protection of their privacy).

In other words

Make awareness training ubiquitous by incorporating it within your entire environment by telling how, why and by telling it precisely on the moment it has the greatest impact. The place where change is done, the place where it matters.