I've been asked a lot of times, especially when I was working for an antivirus producer, why can't we simply write a software that always protects the users.
Well, there is a short answer and a long answer.
Short answer:
Because 100% security does not exist and because most people are hackable due to being ignorant on what security is (of course, until he/she is hacked first time, and sometimes not even after such an event).
Long answer, which I massively shortened by not touching all areas and not going into details:
The reason is the ignorance about everything that might happen but it is not certain that it will happen. I mean, would anyone close an insurance if it would have not been required by law or be afraid of the consequences?
By the way, you can use this article to convince your C-level people to pay for that expensive cyber security training for the entire company.
According to Webster.com, the definition of IGNORANCE is:
- a lack of knowledge, understanding, or education : the state of being ignorant
[noncount]
— used to say that a person who does not know about a problem does not worry about it
In a company, every employee expects the company’s IT department to take care of security. It almost never crosses their minds that security is everyone's business and duty. At home as well as at work, people just hope for the best, that they will never get their PCs infected, their online accounts hacked, their online identity misused, their bank accounts emptied.
Why ? Because people think : this can’t happen exactly to me.
Lately, people have become the product to be hacked!
Again, why? Because cyber criminals go where the easy money are: to the people.
And even if they don’t steal anything from the users and they don’t do any harm to them either, they will use their computers or the social media accounts to spread malware to attack or blackmail others or just to make easy money from the clicks.
Most of the people I talk to, ask me at this point: How can people be hacked ?
I agree that "hacked" is a misleading word, especially when I talk to knowledgeable people or with other security experts.
Cybercriminals use social engineering to manipulate people to do what they usually don't do.
Here are just very few examples that I see often (again, feel free to use them and enhance the list):
- click on links to pictures/movies/articles with almost naked woman or some interesting content on Facebook or other social networks. What happens is called clickjacking: the user must LIKE a certain page in order to see the content.
- the users are forced to install "media player codecs" in order to be able to see a cool movie. Needless to say that it usually isn’t a codec, it is some kind of malicious software.
- users deactivate the antivirus software because they think it slows down the PC, blocks some cool download or just feel that everything takes too long. You hear often the argument, "but it was just that one single time". Unfortunately, the software that they downloaded faster and executed it was malicious. Even after the antivirus is activated again, it can be that it doesn't detect the malware for some time.
- users install any cool app that is suddenly available for free when normally it cost some cents. Many times it is being made free because it either integrates ads or it includes a trojan that does something in the background.
… the list is very long…
All these issues can be fixed by fixing the the ignorance problem.
Conclusion
Is the IT security industry trying to fix the wrong problems?
Their focus is, for obvious reasons, on what provides immediate value out of the box: protect the device.
Should they start to focus on hardening the user?
But, then how do you protect a user from himself?
There have been intense discussions in the past years regarding the "computer driving license". You will find various initiatives if you search these terms.
But to have such an initiative adopted you need more than just a website and a certification.
One thing we know for sure: security comes always with a price. It is either the privacy or, most of the time, usability.
And it seems that nobody is voluntarily willing to pay this price.
Author of the "Improve your security" free eBook.