The security world confronts businesses and organizations with a lot of challenges. The recent exposure of Efail, Meltdown and Spectre, low rates of DMARC adoption, and the ever-looming “Cyber Security Pearl Harbor”, should be a bit worrisome. We are consistently and constantly preaching about the dangers of social engineering and the lack of user awareness. We can continue to improve the technology, but, as of yet, can’t control what users choose to open and click.
This makes wanton disregard for cyber security best practices that much more difficult to watch. I remember at one of my early jobs, we were required by IT to reset our password on a monthly basis (with a “one capital, number, symbol, etc” password that you could never remember). I deeply resented it. Yet, begrudgingly, I accepted the fact that whether or not I thought it was snake-oil, it was part of the IT plan designed to ensure the security of the data infrastructure and as such, much like I don’t want finance to get in the way of my plans, I should respect it.
Organizations that have plans and members who stick to them will be much safer in the long run. Willful ignorance, because playing by the rules is too inconvenient, doesn’t have to result in disaster, but results in a dramatic increase in the likelihood of a breach.
When we see people in leadership positions whether a Clinton storing confidential emails on an insecure home server or a Trump saying using secure phones is “too inconvenient”, it dramatically reduces the effectiveness of technological solutions and simultaneously increases the possibility of a breach, in these 2 cases, of state sponsored threats.
Leadership, often in the form of CEO fraud, is a high value target for cyber criminals. Certain industries are associated with specific cyber risks, whether data breaches in health, corporate espionage in manufacturing, or state sponsored attacks in government. The conflation of high value targets and leaving openings in vulnerable industries is a recipe for disaster.
Security is both bottom up and top down. The chain is only as strong as its weakest link. To properly protect an organization, there is no room for breaking with an IT plan. It doesn’t mean there has to be a breach, but we never want to make it easier for the criminals.
We work diligently to produce email security solutions that attain an equilibrium, where we can maximize protection while minimizing inconvenience. We continue to develop products that require less and less user action to ensure security, while making email safer. Automated triggers, backups, URL scanning, attachment defense, machine learning, and more, have all created a vastly more convenient and safer experience for your average user.
The higher up in the food chain you go, the more inconvenient security will be (whether email or physical). It’s a very small price to pay. And for the love of your IT team, please respect their plan. Inconvenient or not.