This is What the Shifting Responsibility of IT Security Looks Like
- Credit card providers protect their users from fraud, making sure they don’t lose out financially when the bad guy strikes.
- The IT industry needs to start thinking the same way that credit card provider do. It isn’t reasonable to expect the user to pick up the responsibility for IT security.
- Our patented isolation technology allows user tasks to be put into disposable hardware isolated micro-VM containers. Users can get on with their day without needing to be specially trained to spot the bad guy trying to get them.
Recently I received a phone call from my credit card provider who questioned why I had bought a few hundred dollars’ worth of goods from a Best Buy in Los Angeles. I am based in the UK and haven’t been to LA in about ten years the credit card provider was right to call it into question.
While a little frustrating that somehow the bad guy had managed to get my credit card details, I have nothing but praise for my credit card provider: they spotted the problem, contacted me to make sure it was a fraudulent event, took all responsibility for the fraud and refunded the money to me straight away. My part of the process was resolved within a three minute phone call and two days later a new credit card landed in my post box and I was ready to continue doing my bit for the consumer confidence index
Watch: Bromium defeats ransomware.
I haven’t named my credit card provider because they are nothing special. While they did a fantastic job, my experience has been that all other UK providers would have done an equally good job – which is due in part to who is responsible for cleaning up the aftermath of credit card fraud. In the UK, the credit card company is responsible. As the user of the card, I get on with my day spending where I please and if the bad guy beats the system and manages to defraud my card then it is not my concern the credit card company is looking out for me and will make sure I don’t lose out financially.
Role reversal in IT can make a huge difference.
If the same event was to happen in the IT industry, things would most likely go very differently. Often the user is made to feel responsible for clicking on that bad link, or opening that evil attachment. As a credit card customer, I am protected by the laws in place around my credit agreement and if there’s a breach, the credit card provider takes responsibility.
But in the IT world, we repeatedly hear stories blaming end users for being the cause of a breach after being tricked by a phishing attack or some other black hat tactic. This is just wrong and cyber security strategists need to shift responsibility much like my credit card company. It’s not reasonable to expect the user to take responsibility for IT security. Educating users can help reduce risk, but it won’t remove it and education comes at significant cost to the enterprise, training is expensive both in time and money. Even worse, companies who don’t educate and instead lock down their end users which is counter-intuitive if your business is interested in creativity, innovation and idea-generation.
End users held for ransom and then held responsible.
Ransomware, which is still on the increase, illustrates the need to shift responsibility away from the user. A quick bit of web searching will show articles putting the onus on end users and the top recommended “fix” for ransomware is to “educate users against phishing emails,” ridiculously it’s even higher on the list than the basic IT security task of making sure your systems are patched up-to-date!
Ransomware exists because it’s a profitable industry: in the UK alone recent studies suggest at least £4.5M has been paid out to the scammers in the last year.
Here is the nasty bit: we have heard of users paying the ransom out of their own pocket because they fear getting in trouble with their employer for getting hit. IT policy and training has shifted cyber security responsibility in the mind of the employee just enough that a small number of users are paying their own money to cover for what is really a failing on the part of their corporate IT security policy. This is the equivalent to personally paying for a fraudulent event on a corporate credit card (not even my own) and the exact opposite of what ought to be happening. It means the bad guy gets his money and the economics of ransomware is intact – they got the money.
It doesn’t have to be this way. Start the shift.
A key Bromium use case is to stop attacks at the endpoint. This allows the user to get on with their day without needing to be trained to spot the bad guy trying to avoid them. Our patented isolation technology puts user tasks into disposable hardware isolated micro-VM containers.
If the user clicks on something that turns out to be a phishing attack and the bad guy get their ransomware (or other malware) to execute, there is no consequence for the user. The ransomware executes in the micro-VM safely (where we keep a close eye on what it is doing and report back to the security team) and when the user closes the webpage or document the micro-VM and the malware is gone forever. No ransom to pay, no machine to re-image and most importantly no user will feel responsible for keeping their company safe.