The security community has a bad attitude toward normal human beings.
We — and I’m guilty of this as well — blast out our technical expertise to users in order to teach them how to handle security, and then expect them to take the same amount of time we do when we are researching and implementing solutions. Users are people: management analysts, lawyers, senators, housecleaners and accountants.
It’s time to converge on some simple security hygiene for people who don’t have our expertise.
Look at it this way: Dentists don’t expect patients to fix their own cavities. When I get in the dentist’s chair, I’m not handed a caulking gun and a mirror and told to repair myself, nor am I mocked for not knowing how to fill a tooth. What I am expected to do is brush and floss twice a day, along with a hygienist visit twice a year.
Likewise, as much as I don’t need medical journals piled on my coffee table when I should be responding to security incidents or evaluating products for vulnerabilities, nontechnical users shouldn’t be faced with long lectures and paranoia regarding information security when what they need is simple security hygiene instructions they can practice everyday.
Follow me on this. The way that we as “Subject Matter Experts” understand, study and practice information security cannot and should not be expected of people without the same level expertise.
Instead, we should only expect the public to master three simple rules of security hygiene:
Don’t use the same password on every website. Get a password manager. It’s not always reasonable to expect a nontechnical user to use a Faraday cage on their RFID devices, but it’s totally reasonable to expect avoiding “password” as their password in multiple banking websites and email services. Engineers and software developers can also help by working this problem from the other direction, eliminating all “password complexity requirements” and other nonsensical and outdated policies from all systems that they administer.
Also, it’s reasonable to expect people to use and implement two-factor authentication on every messenger app, email service and financial website that they use. If a website or service doesn’t have 2FA, and you need it to send sensitive or financial information, don’t use that service.
Additionally, put a damn passcode on your mobile devices. I don’t care if it’s 1111—it is better than not having a mobile passcode at all.
That’s it. Those are the simple rules we should expect every user to understand and implement. Stop raising a Spock eyebrow at your dad when he says he wants to use Facebook Messenger instead of Signal or Wickr. You have no right to expect that from him, nor from the newspaper exec, the congressional staffer or the operations manager. You do have the right to get mad if his phone can be picked up and used by any person on the street without needing an unlock code. That’s a basic level of self protection that all people should be expected to understand or face personal consequences for not understanding.
These are simple rules, like brushing your teeth and taking a multivitamin. No doctor would blame a patient for being hit by a car and having a broken leg. In the same sort of way, we must defeat the culture of blame surrounding our nontechnical users who, upon being hacked, experience what the same “act of God” that any security expert would experience upon being randomly hit by a car.
We can and should do better than victim-blaming ordinary people who practice simple security hygiene and experience traumatic, embarrassing and expensive events like being hacked.
It’s our job to step in and provide solid preventive care or remediation after the fact. Let’s do better.
Tarah Wheeler is Principal Security Advocate for Symantec Corp. and contributor to CyberScoop.