End user security habits pose challenges.

Hard habit to break

Americans’ online security habits are just as bad as you’ve imaged, according to a recent survey of more than 2,000 respondents. Any enterprise security practitioner is likely thinking, “I don’t need a survey to tell me how bad users are,” but putting the scope of the problem into concrete terms is helpful for managing and evolving the corporate security program—which is at least somewhat dependent on end users’ cooperation.

It’s all a big mistake

The survey data, collected by CBT Nuggets, an online IT training provider, confirms what a lot of security practitioners know, but sprinkles a few surprises into the mix. For starters, Millennials (born between 1981-1997) just don’t care all that much about online security, but Baby Boomers (born between 1946-1964), a demographic often dismissed categorically as “out of touch” with modern technology, are more willing to put in effort to secure accounts and information online. Fewer than 30% of Baby Boomers responded that they “are too lazy, it’s too inconvenient, or they just don’t care” when it comes to following basic security guidance (e.g., not sharing or reusing passwords or providing highly sensitive information, like Social Security Numbers, online). In comparison, only 53% of Millennials and 37% of GenXers (born between 1965-1980) feel the same. What this means for security practitioners is that the bulk of users in their organizations are going to be problematic when it comes to cooperating with any security policy that isn’t mandatory.

Reinforcing this point, the survey shows that Millennials claim to use a unique password 68% of the time versus 80% of the time reported by GenXers and 85% of the time reported by Baby Boomers. Though the dataset behind the report wasn’t made available, which presents a challenge to gaining a complete understanding of exactly how the question was asked, it’s probable that “unique” wasn’t qualified and some respondents interpreted the question as something different from, “What percentage of the time do you use a unique, unrepeated, non-default password for each site you visit/use online,” which is really what security teams should want to know. The answer to the unique/unrepeated/non-default question, versus the question shown in the CBT Nuggets blog post, would be more indicative of users’ true online activity. Plenty of other studies show that “Basically Everyone Reuses their Passwords Online,” so this study’s claims seem questionable.

Instead of getting easier

Enterprise security practitioners can throw up their hands in defeat at this information or continue to blame end users. Both options have been tried by frustrated security pros. Neither has worked. Instead of relying on awareness programs and cooperation from users, security teams have to find compensating controls for managing security in light of the challenges.

Passwords will always present problems; until such time that every website and every application requires long, complex passwords, simple and easy-to-remember passwords will be the norm. Even if such a utopia were to exist, there is no way for security teams to ensure that internal passwords will not be replicated outside of the work environment. If, for instance, an employee has “xU&h9peMs#wE)6%_mRh1b.3” as his company network password, there is nothing stopping him from using that strong password for his banking site, his Instagram account, and his medical insurance login. Inside the organization, however, security teams can set strict password policies and controls. Because end users will push back when they have too many complex passwords to remember or entering passwords becomes a chore, security might consider rolling out single sign-on (SSO), federation, or password managers for everyone in the organization. Some may argue that these tools only serve to introduce a single point of failure, but with these solutions the security team can enforce rules that remove the ability for password reuse and which make employees’ passwords less easily guessed or cracked.

One of the benefits of a password manager is that it’s portable. If the employee is already using it for work and becomes comfortable with the process, it is much more likely that she or he will adopt usage outside of work too, generally improving online security across the board.

Two-factor authentication is another good tool to introduce inside of the organization, but according to the study, only slightly more than half (56.6%) of Americans currently use 2FA to keep accounts secure.

It’s the hardest thing to take

When it comes to other basic security practices, anti-virus (AV) software seems to be a big hit. Over 83% of survey respondents say they use AV on their home computer, but it’s likely that those same users are unaware that AV is designed to catch only the most obvious threats. At the enterprise level, security teams know that AV, firewalls, IDS/IPS, and endpoint protection are also standard and should be used in combination (no one tool to rule them all exists, and never will). In this day and age—and considering users’ risky habits—security teams also must be more proactive at finding threats and intrusions. Vulnerability scanning and penetration tests should also be considered “minimum viable,’ and hunt teaming is becoming more popular at companies that have the means.

Layering defenses, a thorough security program includes not only continuous log and alert monitoring, but also determining baselines and applying user behavior analysis to understand when an account may be compromised. Users may not be the most security conscious, but they do exhibit patterns which can serve as excellent guidelines for identifying potential issues.

I’m addicted to ya, baby

Finally—for this discussion anyway—the companies that are collecting, storing, using, sharing, and manipulating data have the ultimate responsibility to secure that data, regardless of how end users act. Companies are duty-bound to develop secure websites and applications, use strong encryption, patch and test systems, and follow up on alerts and anomalies in a timely fashion.

It’s easy to blame end users or become frustrated with their lack of adherence to security guidance. At the end of the day, though, it’s security’s job to ensure information security; users are just one element of what could go wrong. Shore up other areas of security and your company will see fewer incidents.


Click here for more information on our InfoSec World Conference & Expo in Orlando.