The Security Buck Should Stop with the End User

Carl Weinschenk

The legal system and cultural landscapes differ greatly between the UK and the United States, so it seems unlikely that the new approach discussed in this story would have a chance of making it on this side of the Atlantic.


The security firm Finjan is pointing to two sections of the voluntary Banking Code that require online banking customers to act with "reasonable care." If they don't, the firm suggests, they may have trouble recouping losses from theft. Such an approach could cause problems for people trying to collect on theft claims who had out-of-date antivirus and anti-spyware software when the crime occurred.


It's important to note that the new UK rules are labeled as voluntary in the story, though the writer doesn't elaborate on the designation. It's also difficult to predict how such a move would translate into the corporate world. Regardless, the general idea of putting the security onus on users, where it belongs, is a good one. The reality is that people -- both as consumers and in their workaday lives -- are notoriously lax about the security status of their devices.


This is particularly true of mobile workers, apparently. SafeScan this week released a study that affixes numbers to the long-held belief that people are more careless outside the office than in. The study says that mobile employees visit pornographic Web sites, which have a high association with malware, 2.5 times more often than office-bound workers. They use file sharing 8.5 times as often, and visit "extremely graphic content" and "illegal activities" sites 5.2 and 3.9 times more often, respectively.


Organizations are getting it, but people are not. The good news in The 2008 Information Security Breaches Survey is that organizations are taking a more serious line on security. For instance, four times as many companies as four years ago have information security policies. The bad news in the study, which was conducted in the UK, is that employees aren't sharing the newfound concerns. Many of them work assiduously to overcome corporate security measures either for nefarious reasons or simply due to a mindset that focuses on collaboration.


The piece calls for more interactive and customized training. That makes sense: In many cases -- most, perhaps -- folks will desist from bad habits if they understand the true dangers of their laziness or efforts to evade security rules and systems. It also won't hurt to give them a visceral sense that they will be disciplined or even terminated for not cooperating fully.

Add Comment      Leave a comment on this blog post
Apr 18, 2008 10:13 AM subramanian subramanian  says:
while it is necessary that users need to be cautious about their casual conduct wrt IT security, this legal stand will give wider window for financial institutions to be more casual and irresponsible wrt the protection against fraud of their customers wealth. This will also open up large employment opportunities for legal professionals specialising in IT / cyber laws and also for IT professionals in the security space. who pays for it? the customer directly and indirectly Reply
Apr 21, 2008 10:26 AM Brian Mairs Brian Mairs  says:
BBA here. Failure to follow this advice will not necessarily result in a customer being asked to foot the bill for losses. Each bank will have its own approach and will assess each case on its merits. And the burden of proof will always lie with the bank to prove the customer has behaved unreasonably or fraudulently. Banks and building societies are serious about protecting online banking users. Some offer assurances above and beyond what's in the Banking Code; some offer to provide antivirus software; all have invested heavily in online security. The new Banking Code does nothing to change this commitment. Reply
Apr 23, 2008 1:17 AM Orr Orr  says:
Banks that attempt to foist the problem on to the customer will loose in the long run. Banks are in the best position to mitigate the problem but few in the US (I don't know of any) are doing anything more than second-rate authentication. Most US banks are only using "things that you know" to prove authentication and are not using true multi-factor authentication because they don't want to bear the cost. Here is a much better solution: Banks must use true multi-factor authentication. Banks should distrubute USB-based fobs to customers wanting online access. USB-based fobs should be programmed with scanning, etcetera that would kick off if a customer doesn't have current antivirus running. Fobs should be programmed with a system (using a phoned-to-customer id as a second factor) that customers use to enter second factor. Two problems solved, no more phishing (passwords are useless without second temp factor) and customers systems get cleaned. I'd pay $200 to sign-up with the first bank that offered such a system in the US. Time for banks to grow up and accept responsibility instead of foisting it on users who are ill equipted to solve the problem. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.