Cybersecurity Is Just Not Cool

Let’s face it, cybersecurity has an image problem, for most end users it is dull, tedious and repetitive. A series of endless tasks that just interrupt or interfere with users being able to work, and in some cases completely end up trashing your computer (such as affecting up to one-quarter of the Fortune 500 companies in the CrowdStrike incident).

So it’s no wonder users have in some cases just given up, especially when it comes to their smartphone. Given the extensive list of apps that are required to function as a citizen in a modern city, especially if you drive a car, at any given point there seems to be a huge list of apps with available updates. Mobile OS updates are no better, with Apple iOS 17 being updated 19 times so far to get to version 17.7.2. It’s easy to think that it doesn’t matter if you miss an update as there will probably be another one in a couple of weeks anyway.

Computers running Microsoft Windows or Apple macOS also have regular updates which really need some type of warning about how long your computer is likely to be out of action after a restart. I’ve known programs to crash and the users restarting their computer, only to trigger a pending major Windows update, leaving them fuming for over half an hour, as they are unable to work. I once mistakenly triggered a Windows update on my laptop on a London Underground train on the way to work. As I arrived at my destination station, the laptop displayed the ‘do not turn off your computer’ warning, so I had to carry an open laptop up all the escalators and even managed to walk to the office before it finished. Major Windows updates also have an annoying habit of changing a load of default app settings without asking.

Storage drive encryption is now mandatory for many cybersecurity certifications and considered good practice. It is, especially if your laptop is stolen, as the thieves cannot access your laptop, even if they take it apart. Though for many, nothing is more stressful when an update affects the encryption of your computer and it refuses to start until a complex recovery code is entered. Without an alternative device to locate the code required, it can be quicker to completely wipe the computer losing anything stored locally. In some cases that is the only option, with easily half a day lost.

Web browser updates have generally improved needing very little input from users (mostly one click) and will restore any open tabs once the update has completed. That is until it doesn’t, leaving you searching through your history hoping that everything is still there. The issue with built-in browsers such as Edge in Windows and Safari in macOS is that even if you don’t use them, preferring to use an alternative web browser, they still need updating to resolve security vulnerabilities. But of course, because you don’t use them, they often get missed.

Password managers are now integrated into many modern web browsers, though these are not as feature rich as the standalone ones. It’s all too easy to click ‘update saved password’ when a dialog box pops up, overwriting something you needed or closing the box without any username information being added. Though forgetting a master password will easily ruin your day in comparison.

Two step verification, 2fa, muti-factor authentication, whatever the name, is generally a good thing, stopping unauthorised access. Though I recommend authenticator apps over SMS text message one-time codes as they don’t need a mobile signal or even internet access, generating a new code every 30 seconds. I’ve seen desperate users wandering around trying to get a mobile phone signal so that they could sign in, in some cases even leaving the building, only to be told they didn’t enter the code in time.

Bio-metrics, AKA Touch ID, Face ID, Windows Hello, fingerprints, etc, is effortless when it works, but another source of frustration for many users, In many cases it doesn’t work by design, like after a restart on a mobile phone, though often goes wrong more than the manufactures would care to admit.

Security keys were the pinnacle of security, until you misplaced it and couldn’t access your computer. Ideally they are set up in pairs, but if the second one is at home while you are at work, it is not much help. Passkeys are now heralded as the new way forward, until you have the misfortune of something bad happening to your mobile phone.

Cybersecurity awareness training has also greatly improved with gamification, humour and micro-modules to name a few of the improvements. The key though is context, if it has little bearing on what the user does or experiences on a daily basis, it is easy for them to mentally switch off and it becomes nothing more than a tick box exercise.

Email phishing simulations are also the bane of many peoples working day, forcing mandatory awareness training (sometimes immediately) and in some cases can affect bonuses and even triggering official warnings from the HR department. The thing is, everyone can be fooled some of the time, and it is more important to make sure that technology aids users, preventing them from entering credentials into a fake login page in the first place.

The end result is that users are frustrated and weary of all the cybersecurity measures that just seem to delay them from doing what they need to do. But many would say that this is akin to complaining about brushing your teeth twice a day. If we don’t brush our teeth, the consequences are quite severe (and painful) much like suffering from a successful cyber attack. The inconvenience of cybersecurity is a minuscule price compared to suffering an attack, and while there is no guarantee, the risks are definitely reduced. The solution involves a subtle balance of technology, processes and people. Also statements like ‘people are the weakest link’ are not helpful. Badly thought out processes with no training, or implementing technological controls with no testing, is closer to the ‘weakest leak’ in my opinion.?

We just need to find a way to make the constant security tasks quicker and less prone to causing more problems than they solve. Maybe, then cybersecurity tasks can be seen as routine as brushing your teeth, with the minimum of fuss.

For more security resources and advice, see: www.booleanlogical.com