Sunburn

by Brian Katz on April 8, 2013 · 9 comments

I spent this weekend like I do many weekends, at a soccer tournament for one of my daughters. It usually means at least 3 hours outside and a fair bit of fun. Being that it’s just the first week of April, it was still pretty cool and the high for the first day didn’t go above 52 degrees while a stiff wind was blowing for the entire day. It was a good day, my daughter’s team didn’t give up any goals and they tied the first game and won the second. It wasn’t until I got home that I realized the damage that had been done. One look in the mirror was enough to tell me that I had a nice sunburn on my face, complete with the white around my eyes from sunglasses. It’s not unlike what happens with many people as they go mobile.

sunburnt faceOne of the things that you find as people go mobile at work, is that they are looking for the experience to be as frictionless as possible. The first thing that they worry about is whether they can get their email, calendar, and contacts on their device. Then they start asking for more information. They want the ability to be able to work wherever they are. Quickly though, they start to push back against the corporate policies that exist. The first bit of pushback always concerns logging into the device. Most organizations require that users put a passcode on their device. It is the first line of defense for most devices, a casual user can’t log into it if they find it, and for many devices, it is what kickstarts the encryption process.

It is very much like the sunburn I suffered from this weekend. It really wasn’t hot out, it’s too early in the season, I was only going to be out for a small amount of time…all great excuses I told myself to rationalize why I hadn’t put sunblock on. To be fair, I really didn’t think about it. It isn’t any different then what a user says to themself when they use their phone. They aren’t the type to ever lose their phone, they never leave it alone unattended for anyone to pick it up, no one would ever want to steal their device…the rationalizing goes on. As human beings, we are very good at rationalizing, or as someone said to me when I was quite young, it is very easy to tell rational lies to yourself.

It isn’t until an incident happens to a user, that they even really start to see the issues. When I went to the second day of my daughter’s tournament, you can bet that I had sunscreen on. I had no desire to run the risk or feel any worse. The same thing happened to my daughter’s coach; he had his apartment broken into on Friday night. A deadbolt was installed on Saturday and he asked what he could do to protect his laptop in the future as his had been stolen.

The sad bit is that even though we can train our users 6 different ways to Sunday, unless they can internalize the experience of losing their device or having it compromised, it is very difficult to get them to follow form. It doesn’t mean that we can’t force the issue using MDM (Mobile Device Management) but it only causes more grumbling or in the case of BYOD (Bring Your Own Device), gives people another reason to avoid using device in a corporate setting. It is a lot easier to win users over to your side of security and common sense when you make the issue about them.

When you talk to your users, especially if you have a BYOD program, spend less time talking about the corporate data and more time focusing on their personal data. Do they want someone to be able to get into their bank account? How about posting on Facebook or Twitter as them? Have discussions about the kind of data they keep on their phone and teach them to protect that. You get to protect your corporate data too, but your users will care about their own stuff. When you show them what’s in it for them, you have a better shot that they will buy into the program. It’s always easy to get a sunburn, but it’s even easier to protect yourself against one if you know why you’re doing it and when you need to.

{ 8 comments… read them below or add one }

Dominic Wellington April 8, 2013 at 12:10 pm

I would add the the policy should not be too onerous. I have seen policies that require desktop-style passwords on mobile devices: eight-plus characters, at least one number, at least one upper-case and one lower-case letter, and then change it every couple of months. Having to type that little lot into an iPhone every time you want to check your messages led plenty of otherwise law-abiding people to try to figure out how to remove the software that enforced that policy, despite the fact that it had many other valuable features. And of course, having gone to all that trouble to get rid of the password, most did not enable the simple built-in four-digit PIN; they just left the phone fully unlocked. Worst of all possible worlds!

I did my best for corporate security by changing the background of unattended unlocked devices to horrible images, but that’s hardly scalable.

Reply

Tal Klein April 8, 2013 at 6:33 pm

I simply don’t think you can put the onus of enterprise security on the end user, this includes using fear – whether for their data or yours – to “train” their behavior. Such an approach is a non-starter IMO.

Reply

Wes Miller April 8, 2013 at 7:44 pm

I couldn’t agree more, Tal. For years, I’ve said, “You’re only as secure as your most intelligent, and least intelligent, end users”. There’s just a point where you have to remove the “dancing pigs” button, or users will keep clicking it to see the dancing pigs. Maybe if users had some skin in the game. “Lose your phone, lose your vacation time” or something…

Reply

Brian Katz April 8, 2013 at 7:53 pm

Tal –

I don’t think it’s a question of putting the onus on your users but
rather getting them to participate. Security can’t just be top down and
users have to take some responsibility as well, as long as you provide
the right tools. It shouldn’t come from a sense of fear but there is
nothing wrong with letting them know that their own data is at risk
too…partnering with your users give them the best chance for success…

Reply

Tal Klein April 8, 2013 at 11:33 pm

Here’s the thing: It’s not top down. it can’t be. The architecture of computing is utterly broken and you can’t invite users to participate in IT’s inability to patch the dam because, actually, the attackers aren’t trying to compromise their data – if they get hit with the next MiniDuke, their iTunes will still work just fine, and Instagram will still have all their pictures. The attackers are after enterprise data and infrastructure, the endpoint is not even collateral damage, it’s simply an attack vector – once compromised, it’s actually in the attacker’s best interest to keep the user painlessly unaware of the infection.

No, this is a bottom up problem. Enterprises need to start demanding a better architecture from their operating system and application vendors. Windows zero day? Demand a refund. Java exploit number one billion and five? Debook your database business with Oracle.

The reason software vendors give us bug ridden code is because we let them. We pay for the privilege. So my solution is: Stop talking down to your users and start charging back your software vendors for bugs and exploits in their code. Money talks.

Reply

Brian Katz April 8, 2013 at 11:49 pm

Tal,

Sure, which is why I have always bought into Bromium and as I said before, give your users tools so they can just be users. It also doesn’t change the fact that you should be hitting back at the vendors who provide you with buggy code etc.

This doesn’t change the fact that as we move to smaller more portable devices, we should allow these gateways to our corporate and personal data to sit there and be wide open stores screaming for people to take them and use them.

No matter how good the software gets, or how good the tools are that allow you to let your users be themselves, fundamentally users, whether smart or stupid, still need to play a part.

You don’t want to let people build your house with a lousy cement and cracks in your foundation. You want tools and answer to keep the termites out and the electricity running. But you also don’t leave your door wide open inviting people in, whether your around or not. Just because you have the best alarm on the market, if you never turn it on and people see the door open, what good does it do?

Reply

Tal Klein April 9, 2013 at 12:27 am

Actually, as you know I’ve written a whole blog on the metaphor you chose to close with. You see, the reality is: Whether your door is locked or unlocked, or the alarm is armed or unarmed has very little impact on whether a robber will break in to your home and steal your stuff. In fact, our homes are not properly architected to stop someone from robbing them. The design of your average home is hardly ideal for security. Why we willingly buy insecure homes and then try to retrofit them with security products that are doomed to fail due to the underpinnings of foundational architecture is a more interesting quandary.

I can’t claim lack of Bromium bias because I work for them, but that’s not what drove my response. I’ve been spending a lot of time learning about computing architecture and security, the pinnacle of this research thus far has been a book that I highly suggest you read called Geekonomics by David Rice. The basic premise is that secure code can be written, yet our purchasing and deployment behavior belies what we claim we want.

Christopher Burgess April 11, 2013 at 9:07 am

Brian you hit the nail on the head. All policies should be written to answer the question from the user: “What’s in it for me?” and I’ve heard many times, “Your job continuity”, but the reality is an educated user truly is the user best positioned to protect their own data and that of their employer.

Thanks for this piece – sharing over in the G+ world.

Reply

Leave a Comment

{ 1 trackback }

Previous post:

Next post: