The Unisys Security Index (USI) provides insight into consumers’ general security concerns. One of the index measurements is online security, and although this survey is conducted world-wide, the latest U.K. and U.S. results presented a similar finding: roughly half of the respondents are “seriously concerned” about malware, shopping or banking online. Furthermore, the stats show a 35% increase compared to last year’s U.S. stats. Clearly, we are worried. Unfortunately, it seems that we do not handle our fears well. Half a year ago, a Norton study showed that 65% of Internet users globally were a victim of cyber-crime. Yet, half would continue their same online behaviors despite being victimized.
By observing our online behavior and quick adoption rate of technology, we can safely say the following: as consumers, security is considered a nuisance.
Take for example our password usage. Less than a year and a half ago, the NY Times featured a front page news story showing that “123456” was the most commonly-used password, followed by “12345”. Twenty years ago “12345” was also found to be the most common password. This should not come as much of a surprise since habits are hard to break – especially when we do not foresee any security incentive to change our behavior.
Does such major breaking headline news provide consumers with better education? Not necessarily. Just a week ago, LastPass, a password management system, went public with news of a possible data breach. Even though individuals who use this service are considered relatively more security-savvy than the regular man on the street to begin with, the company still chose to issue an advisory that urged users to change their passwords since not all of them have chosen strong passwords.
As customers, Web application security is considered even more annoying than passwords. We choose our applications according to two main criteria: promise of delivery, and ease of use. Twitter vulnerabilities have not had any adverse effect on its customer-base growth rate. Likewise, Facebook users have largely vetoed security concerns, and we continue to party with Evite despite security woes.
This attitude also extends to smartphones. When more than fifty of Google’s Android apps were found to be malicious, Google urged users to remove those apps. Not all users adhered, which compelled Google to turn the “kill switch” and remotely wipe those apps from the phone.
When Security Indifference Affects Others
While we may not realize it, our lackadaisical approach to security affects also other consumers. For example, if someone has a blog built upon any one of the available blogging platforms and a security update is issued for that platform, it is the blog owner’s responsibility to fix it and prevent their readers from being infected. But given the lack of security awareness, this door is sometimes left wide open. Just last week, the Pakistani programmer whose claim to fame came by tweeting the U.S. raid against Bin Laden, had his blog hacked because he was using an old version of the WordPress blogging software. The unpatched software essentially left visitors to the programmer’s blog at risk of downloading malware.
Businesses to Take the Security Reins
Businesses can cry out day and night for consumers to protect themselves, but consumers have given up on this responsibility. It is time for online retailers and banks to learn how to deal with infected customers. The stakes of a compromise are too high, including direct and indirect financial losses that range from the costs of incident investigation to brand damage and regulatory penalties. Then there is the loss of the customer base.
| Part in a Series on Cybercrime – Read Noa’s Other Featured Cybercrime Columns Here |
Whether companies are ready or not, the consumers have already voted hands-down that client-side security is a business problem, and customers are not afraid to take their business elsewhere. The September UK USI survey for example found that nearly 1 in 10 users have switched banks due to security concerns.
Next Column – The Role of Governments in Respect to their Netizens
For now it seems consumers are concerned, but do not yet know to deal with the security threats imposed by the hacker industry. It is therefore left for the businesses to protect and serve their customers – whether or not they are security-aware. But what about the government? Do they have any impact on the security of individuals’ online behavior? Stay tuned for next column as I discuss the roles nations play with respect to their online citizens.