Feeling secure yet?

By: Dr. Gary Anderberg

May 17, 2024 — Question: Do you check that each door and window is locked before retiring to bed? Make certain that no appliance is left on, that everyone — kids and pets — is accounted for? Did you lock your car when you parked it in your driveway when you came home from work? No?

What about all your work-related electronic devices — do you use your dual authentication every time you sign on? Never leave confidential files on your laptop? Shut everything down at the end of the workday? No? Well, my friend, you must be human.

The good folks at 1Password surveyed some 1500 humans (actually 1500 white-collar workers including 500 IT professionals) for this year's State of Enterprise Security report, Balancing Information Security and Productivity in the Age of AI. Their conclusion: What's good for business is often bad for security. That seems like an odd idea from a company that specializes in on-line security, so their reasoning and evidence merit our attention. Let's take a look.

Work is ubiquitous and relentless. Work happens everywhere nowadays — at home, in a coffee shop, on a train, on the phone in your pocket at your kid's Little League game. Moreover, for most of us work expands to fill the time available. We're all on a productivity treadmill going faster and faster. Meanwhile, company IT security teams are struggling to keep up.

The balancing act. Productivity and security are in a constant tug-of-war for employee time and attention. The temptation to cut corners, to fudge just a little on all those security steps becomes greater and greater as the tempo of business picks up.

What real humans are doing. Some 92% of IT pros say their companies require all apps to be approved, but we see what really happens. The survey found that in day-to-day business, people use unapproved shadow apps — 47% in IT, 40% in finance, 27% in healthcare and 19% in education, to cite a few.

Devices. Some 84% of companies require employees to use only company-supplied devices, but 17% in the survey report that they never use company equipment — another disconnect.

Fighting the good fight. Almost 70% of security pros say they're at least partly reactive in terms of security risk mitigation, because they're either pulled in too many directions (61%), don't have the necessary budget (24%) or are understaffed (21%), among other reasons.

AI. And 92% of IT security pros think the growing deployment of AI apps will only make their situations worse.

In sum, over half of the employees surveyed admit to being lax about security standards, but they add that they're just trying to get things done on time.

What's a risk professional to do? First, we suggest taking the time to understand your actual unique risks, given your industry, use of confidential information and other factors. Clearly, a data breach at a large medical services provider is very different from the parallel event at a candlestick maker. What are the potential consequences and where are your points of greatest vulnerability? Who normally handles your most sensitive files, your most valuable IP? Study cyber events at related enterprises. What happened and how did the hackers get in — a careless employee, a careless vendor with system access?

Broadcasting messages about IT security to all employees is usually less effective than targeted messages to specific groups of employees concerning the real risks in their areas of operation. The 1Password survey makes it clear that the usual communications aren't especially effective. Remember that in many cases, like NBA players buying socks, one size does not fit all.

We all get in a hurry to get a job done. We forget, just once, and save a confidential file to a thumb drive. We have a really difficult analysis to finish and a friend has an (unapproved) app that will make it so much easier and faster. To cut corners is merely human. To minimize cutting security corners is risk management in action. Like other forms of risk reduction, this one is a constant and often thankless task, but what are the options?

Helen Keller wrote that security is mostly a superstition, but we risk professionals can't stop trying to do better. Does everyone using IT in your organization (and who isn't?) understand that cyber disaster is a very low-frequency, very high-severity threat? You cut that corner a hundred times — you left that laptop unsecured, installed some funky app that your brother-in-law says is really cool — and nothing happened. But the next time may be digital Armageddon, millions of dollars in closely held IP splashed all over the Dark Web. How do you get that message across often enough that your people don't forget it? After all, they're only human.