When it comes to computer security, people are the gaping hole for hackers to exploit.
Believe it or not, fairly sophisticated technologies exist to protect our data.
Encryption algorithms available to us are well-tested and require impractical amounts of resources to breach.
Virus detection and spam blocking are at all-time highs as well.
If the technology prevents security breaches, why are successful attacks happening at an increasing rate?
Much has been written about the ingenious methods hackers sometimes use to get around security.
But the most effective method available remains taking advantage of the average person.
IBM’s 2014 Cyber Security Intelligence Index reported 95 percent of all security incidents involve human error.
It’s not difficult to imagine given some clear examples.
Earlier this year, Independent Security Evaluators released a study about securing patient data at hospitals.
In assembling the report, security consultants successfully breached more than a dozen hospitals using simple methods.
Infected USB drives were labeled with each hospital’s logo and dropped on the ground.
Hospital employees simply picked up the drives and plugged them into nursing stations and unknowingly infected the entire hospital network.
Perhaps even more worryingly, security consultants merely walked into several hospitals and got on nursing stations that were left logged-in and unattended.
In a notable example of a not-so-rare technique, a teenager was able to gain access to the email account of CIA Director John Brennan by simply calling Verizon.
The Verizon employee gave away enough information for the teenager to change the password on the email account.
Once again, all the technology in the world can encrypt personal data and passwords.
But as long as an employee can be tricked over the phone into giving away information, we aren’t secure.
When it comes to human error in security breaches, no one person or group is to blame.
There’s no single solution.
Years of incredible technological innovations have left the average person far behind on the latest security developments.
Websites are keen to make sure users have passwords that fulfill a bunch of requirements and remain distinct.
But the average person can’t reasonably be asked to remember a different password for every website.
I have 33 website accounts, each with different logins.
Without keeping a document on my computer with all these passwords — a huge security flaw in its own right — I’m left to write them down on a piece of paper. It’s not exactly an elegant solution.
Major websites, as well as governments, need to begin widespread advocacy for password managers, multi-factor authentication and simple security education.
Password managers interact with web browsers on phones and computers to generate and remember complex passwords for us.
They’re simple and effective, but the average person doesn’t know they exist.
Multi-factor authentication is an easy way for users to add another layer of protection besides a password.
Simple security education would teach people ways to avoid spam emails and social engineering attempts.
Humans will always make mistakes, but when it comes to technology security, a few simple fixes can reduce a huge percentage of breaches.
sshahsav@indiana.edu