In the wake of 2016 and 2017’s wide-spread online security breaches, I now regularly have clients who ask how their data can be secured against online threats, but who at the same time don’t want to change their existing processes or learn new technology. I’m sorry to say, you can’t have it both ways.
I often frame it that security and ease-of-use are two sides of a balance; when one goes up, the other goes down. The most secure computer would be encased in concrete and thrown into the mid-Atlantic ridge – definitely doesn’t make it usable. A laptop sitting on a street corner, connected to public wifi, with no passwords, would certainly make for an easy-to-use machine, but with an utter lack of security. Every person, every workplace, every organization, has a balance somewhere between that meets their needs for both, but this midpoint isn’t the same for everyone or every company.
Many of my clients are financial, medical, and legal firms, with strict regulatory and industry-driven compliance practices that must be followed to remain open. For some it’s as simple as having regularly-expiring passwords, for others it’s an annual outsourced penetration test, with all results and remediation strategies submitted to the governing authority for review. The IT industry calls the specific needs and fears of a client its “threat model,” in that to accurately say a system is protected, the specific types of attacks/attackers defended against must be specified.
For most people at home, a state-backed advanced, persistent threat (APT) crew shouldn’t really be in their threat model. They aren’t likely to be targets of highly-specialized and uniquely-crafted malware that’s designed to steal their cat pictures. On the other hand, however, there are many online threats that the general user should have defense against, whether they realize it or not.
I recently gave a talk on the subject of “online security” to a large audience of local financial professionals. These were people who dealt with thousands or millions of dollars of others’ money on a daily basis, and for whom information security is (or should be) a major concern. While some of the specifics of my talk were tailored to their particular niche case, overwhelmingly I focused on the low-level, most-effective things that they could do to protect themselves and their clients.
When asked about backups, I could offer my clients a dizzying array of options, plans, contingencies, and failure cases, but the most important questions I have are “what are you trying to protect” and “what are you hoping to protect it from?” We recently had a devastating fire in Sonoma County, so many clients want their information stored off-site. Fantastic! This is a great example of a specific situation (the destruction of a building and its contents) that we can plan for.
Will every solution covert every eventuality? Of course not. I often liken computer security to buying fancy locks and security systems for a home; given enough time and motivation, any system can be defeated, and no system will help if you invite the threat in yourself. In most cases, the base level of security I recommend will keep out the majority of today’s online threats – an ad-blocker for each browser, an offsite backup for disaster recovery, and a configurable firewall with some capability for alerting.
Some people chafe under the idea that they have to save their files to the server to keep them secure, or that they can only email their doctor by using a secure web portal. They like the ubiquity of public wifi hotspots, even though there is absolutely nothing stopping someone from intercepting all of their internet activity. Convenience and a user’s irritation at security restrictions are an attacker’s best friends, particularly as more and more of the population get online.
In closing, I’ll try to dispel a common myth – today’s youth aren’t particularly more adept at using technology than any other demographic. They may be more well-adapted to the rapid pace of change in technology, but ultimately most devices these days are functionally “black boxes” where the specifics of how they work may as well be magic, as far as the lay person understands. Unlike most cars from the 1980s and before, most devices these days can’t be easily repaired or modified by the average end-user.
In that regard most people today are consumers of technology instead; when something doesn’t work as expected or breaks, today’s markets say to either live with it or buy a new one. In my professional career I’ve met far more individuals who were older than I that expressed an interest in exactly how their technological devices actually worked than those who were younger.
Remember, when considering or evaluating a security solution or practice for your own use, think of what specific threats you are hoping to avoid, and plan accordingly.