In a very short timeline, computers and electronic technology have drastically changed the way humans live. We have welcomed these devices into our lives to increase convenience and make the most of the things we do easier in our day-to-day lives. The relationship with technology has generally been a very enjoyable experience. Many people enjoy the convenience of technology so much they claim they would be lost without their cell phone, as in literally lost. However, there are some aspects of our relationship with computers that many people find an ever-increasing frustration, enter the password. Passwords and other cybersecurity features are the necessary evil we all tolerate to make sure our computer use is an enjoyable experience and not a string of random fraud and crimes happening on your cellphone or laptop.
By Dick Wilkinson, Chief Technology Officer, Proof Labs
Customers find security features tolerable, not enjoyable. Customers of technology have seen a trend over the decades. The trend calls for smaller devices with fewer buttons, fewer switches, and endless physical interaction with your network or device. The user experience is becoming almost completely touchless and seamless. Voice assistants, like Alexa or Google Home, are the perfect example of what users have always wanted their computers to be: interactive, easy, powerful, and touchless. A serious problem occurs when security features of any new technology slow down the user experience, add physical touches or additional clicks, and require focus and time to make them happen exactly right, or you are locked out of your session. All these interactions are a nuisance to the user. Security has established itself as the path of most resistance in the life of a technology customer.
The path to least resistance causes breaches
Security features are difficult to navigate and create a problem that is often easy to overcome, enter the workaround. Humans by our nature will seek the path of least resistance to get a task done. No matter how serious or trivial the task, we expect to find or create the easiest series of steps to complete the work. Many modern jobs happen in an office with computers and the tasks become repetitive and time-consuming even with the help of computers. The employees completing these repetitive tasks are always seeking the path of least resistance, and that is a good thing. You want to nurture efficiency in your company; letting employees be creative is a great way to find those efficient methods. That creative nature quickly runs afoul of security, which is policy-driven, structured, and immovable by design.
IT security uses rules and rigidness to ensure only the right people get access to only the right information. Security creates digital gates and fences and shuts off access to the path of least resistance. You must go out of your way to pass through our digital gates, or you will never get to the data you are looking for. The earlier example of passwords becomes even more effective to illustrate the disconnect from user expectations that are perpetrated by the security industry. A single username and password challenge is a simple gate to pass through. So easy in fact, that multifactor authentication, or MFA, was created.
Barriers to security
One gate was not enough, we have now introduced multiple gates that require multiple “keys” to pass. That is the exact opposite of what a user wants; they want zero passwords, not extra passwords to make sure the first password works properly. People are smart and have realized that passing through the digital gate is only one option, you can also jump over the fence.
An employee is working with a customer and needs to receive several large files. The files won’t make it through your corporate email scanners/filters because they have odd file extensions or types. There are also restrictions on attachment sizes. To get around this limitation, the employee logs into their personal free email account on their corporate computer and downloads the files onto the corporate machine. Your $20,000 per year email gate was just jumped over for free and the task was completed on time. You also now have malware in your corporate network. The security feature was immovable without serious levels of effort to contact several people and ask permission for an alternative way to get these files. The path of least resistance was visible, so the employee took it. The worst part of this whole scenario is if the security team finds out about the fence hopping, they will create even more fences and gates to lock things down even tighter, leading to even more scenarios where employees might look for a different path. Security increases the resistance when incidents happen. The balance of security versus usability is not sought out but instead made worse to ensure compliance…To read the full story, subscribe to CISO MAG.
This story first appeared in the August 2021 issue of CISO MAG.
About the Author
Dick Wilkinson is the Chief Technology Officer at Proof Labs. He also served as the CTO on staff with the Supreme Court of New Mexico. He is a retired Army Warrant Officer with 20 years of experience in the intelligence and cybersecurity field. He has led diverse technical missions ranging from satellite operations, combat field digital forensics, enterprise cybersecurity as well as cyber research for the Secretary of Defense.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.