Finding the Balance: Security versus Convenience
/There's one important "rule of thumb" to keep in mind while we discuss implementing the various security best practices in the Security 101 and 102 series. Whether it's security on your accounts or security on your devices, the same theory/rule will apply. The more secure something is, the less convenient/easy it will be. Which means the opposite is also true, the less secure something is, the more convenient/easy it will be.
Want a quick example? Think about your home. If there was no security in place, the doors and windows would always be unlocked or open. This would be very convenient. Since most people use security measures to protect their home, entering is less convenient. To secure your home, you introduce inconveniences such as the front door must be unlocked before entering and climbing through an unlocked window isn’t possible. If you wanted increased security, you may have 2 locks on the door (door knob and deadbolt). To increase security further, you may install a security/alarm system that would need to be turned off (disarmed) before, or after, entering as well. Some people may also install security cameras, which records everyone that enters and exits. Some people may even have padlocks on their gates as well. All of these new security features, locks, alarms, security cameras, etc. introduce inconveniences or make it less convenient every time we get home. We endure these “inconveniences”, because we want us and our family to be safer and more secure.
With those ideas and examples in mind, let’s discuss what I call the “annoyance factor.” The “annoyance factor” is the amount of inconvenience, or extra steps, someone will take to make something secure without becoming so annoyed that they disable security all together. We will keep the annoyance factor in mind as we discuss each recommendation. The annoyance factor is in the eye of the beholder of course, but we will keep the majority of people in mind. By majority, we do not mean typical information security experts. We are willing to go through 3 to 5 extra steps to log in to an email account on a new phone, but we understand most people are not interested in a lot of extra steps. The majority of people just want to access their email quickly and easily. Due to this, we will mention the point where we think the annoyance factor for the majority of users will start kicking in by bringing attention to the more advanced steps which will require more patience. The last thing we want is for people to feel security is too inconvenient to use, because not having good security in today’s environment can be very hazardous for the privacy/security of not only your information, but the information of your family and clients as well.
How does this impact me? If you bought a new product and it is super easy to set-up and use, you can almost guarantee there is minimal, or no, security turned on (enabled) by default. Security is often turned off (disabled) by default, because companies know the majority of consumers are more concerned with how easy a product is to use than the security offered by the product. Likewise, some consumers may not be tech savvy enough to implement and operate security features. Because of this, a lot of the security features will be turned off by default to ensure consumers can use the product, less are returned to the store, there are far less negative reviews and to prevent the company from losing a lot of customers. If it is an internet connected device, sometimes having security features turned on by default will make it way more complicated to use and harder to connect to your home network. In most cases, security features, especially, advanced security features, would need to be turned on after the product has been installed and connected to your network. We strongly recommend researching the security options/settings online or speaking with the retailer where you purchased the device/product to learn more about the security features prior to purchasing. There may be security options available and they just need to be turned on (enabled) after you perform the initial set-up.
Another reason to be concerned about a product being very easy to use or set-up (install) is the fact there may not be any security features/settings at all. This is different from the previous paragraph, because in this instance there isn’t any security options/features at all. Some companies may say they have security (such as “military grade encryption”), but it could just be a marketing tactic to get people to buy their product using buzz words. Some companies may think their product does have “military grade encryption”, but turns out the feature isn’t working due to them not configuring/installing it correctly. Having no security or improperly configured/installed security is more common with cheap products from unknown companies; often due to budget constraints. It is very hard for companies with plenty of money (large budget/revenue) to get security right (such as Microsoft, Apple, Google, etc.), so a company with very little funding/revenue would have an even tougher time to configure security correctly. More on this to come in the “What can I do?” section.
The other issue with using products from unknown or low revenue companies is if there is a security issue (vulnerability) found, it may often go unpatched (not fixed). Another issue could be if a security problem (vulnerability) has been fixed, you may not hear about it. When well-known companies have security issues with products, and they do, we usually hear about the issues and we often hear the security issues have been fixed and we must accept the new patch/update recently released.
What can I do? We mentioned all the information above, so you will start thinking about security versus convenience. We want to make sure everyone understands that as we (you) implement better/stronger security, things will become less convenient. Even simple security measures will cause some inconvenience. Think about the example given earlier of adding security to your home. Using deadbolts on your doors, having padlocks on your gates and installing a security system will make things less convenient when you get home each day, but as a result it will increase the security of your home and provide better protection for your family. We don’t want anyone to be afraid to implement more security, but we do want everyone to understand it isn’t always an easy flip of a switch. There may be some “growing pains” as you learn and train yourself to do things differently. Things will become a little less convenient, but often in the end they aren’t as bad as they seem after you get the hang of it (get familiar with the new/extra steps). It’s more about getting used to a new process than it is performing extremely difficult steps. We also wanted to make everyone aware that we will keep the “annoyance factor” in mind as we write these recommendations. We will do our best to point out the minimal and easy steps and mention the annoyance factor when we discuss more advanced steps. The advanced steps will be geared for people who want to implement more security at the cost of learning more complicated procedures or taking more steps than most people are comfortable with. We will do our best to explain the extra steps required so you can decide where your annoyance factor/level is and where you wish to stop. We strongly urge everyone to do the minimal and easy steps, because we view them as requirements. However, the advanced steps will definitely not be for everyone and are more of the optional nature.
Another reason we wanted to write this “Finding the Balance” post was to get everyone thinking about the products, services, accounts, devices, etc. they use. If something is super easy and doesn’t require you to go through any additional steps, keep in the back of your mind it may not be secure and we would recommend doing some research. If you find out it isn’t secure or doesn’t have additional security settings, we would think twice about storing your sensitive information on that service or device and realize it may be time to evaluate and use a more secure option. An example of this would be if you were debating between two banks. If one bank offers customers the ability to use a 2-step authentication method, such as entering a code sent to your phone, and the other bank doesn’t have a 2-step authentication option, we would suggest doing more research on the second bank and may go a step further by saying we wouldn’t recommend using the second bank. Whether you use the 2-step authentication option or not, the fact one bank offers customers the ability to implement more security and one doesn’t should make you question their service. We would ask ourselves, “If the bank doesn’t offer stronger security settings, such 2-step authentication options, where most other banks do, what other ‘corners’ are they ‘cutting’” (especially relating to the security of you and your family’s information)?
Bonus What can I do? We always caution people from buying devices that connect to the internet (computers, tablets, security cameras, toys, stuffed animals, etc.) that are considerably cheaper than comparable products. We recommend looking for security settings when performing research online or ask about security features/settings when speaking with sales personnel. We should all keep in mind that companies are great at using buzzwords and marketing tactics to distract shoppers. There have been countless instances where products may state something like “military grade encryption”, but turns out the manufacturer wasn’t exactly telling the truth. Either the “military grade encryption” option wasn’t implemented correctly or wasn’t turned on by default. The marketing material (or box) didn’t say “military grade encryption…once you turn on the feature”. This is misleading, because most consumers assume having “military grade encryption” means it is turned on automatically when they start using the product. We know disproving marketing claims is difficult for non-technical consumers, so we think the easiest rule to follow is comparing prices of competing products. Here’s a quick example.
Let’s say you are comparing internet connected smart TVs. You found TVs from 3 different well-known brands priced between $800-$1000. Then you find a smart TV from an unknown brand claiming to have “military grade security” and is only $400.
Without knowing all the technical details or disproving the “military grade security” claims of the unknown brand, we would recommend avoiding the $400 TV from the unknown brand all together. Why would we say this? It’s hard for well-known companies with large budgets (a lot of money) to implement security correctly, so the odds of an unknown brand with an extremely tight budget (very little money) having better security is very slim and not worth the risk in our opinion. The cheaper price is definitely an enticing bonus, but is it worth the risk of putting you, your family’s or clients’ information at risk? The answer is a definite no, because it could cost you a lot more in the long run if it leads to your identity being stolen or bank account compromised (“hacked”).