I frequently engage in conversations with people about IT security. It quickly gets personalized to the individual or business. The person inevitably wants to know “Am I secure?” or “Is my business safe?” As much as I’d love to give a clear and concise answer to my friends, I just can’t!
Please forgive the obvious, but many questions don’t lend themselves to easy answers. I wonder if the doctor gets “Am I healthy?” question in the same way. It’s clearly a simple question, but the answer is complex and unique to each person.
Two major principles of security we are educating our friends and clients on are:
- Security and Convenience are in constant tension.
Each person or business needs to find the right balance between these.
- There is no single “key” to good security.
Implementing layers of security is the best plan for individuals and businesses.
For this month, I’ll share thoughts on the conflicts between Security and Convenience, while next month we’ll share on how to implement layers of security.
Finding a Balance
In the simplest form, let me share that you can’t have maximum security and high levels of convenience in any one system. The more secure I make a computer or mobile device or website or database, I will simultaneously make it less convenient to access. Let’s look at each of these and how we can make them more secure, and in turn, less convenient.
We can protect them with a password upon login. This eliminates unauthorized users from logging on to your computer. However, if you need to ask a family member, friend, or colleague to retrieve something from your computer it will require you sharing the password.
With the latest iPhone, you can set up a finger print to unlock your phone. This is extremely secure. However, if you leave your phone at home or work and you ask that same family member, friend or colleague to check your messages, they will not be able to. That’s not too convenient.
When logging into a website, there may be two-factor authenticationor 2FA. Two-factor authentication is a security measure that requires the user to enter a “known” password and It is requires another component, such as a temporary password that is sent to your mobile phone. The chances of a thief or hacker having both your bank account login information and your mobile phone are far less likely. It may be inconvenient in the moment to enter additional information, but it is an excellent way to deter hackers from logging in to your accounts.
If your company requires the user to change passwords every 90 days, this is a very good security practice. Criminals who have stolen your password can’t use it if it’s changed! That’s a good thing, but isn’t it annoying when a website forces you to change your password?
Convenience is Not Always Best
On the other hand, the more convenient you make access to a computer or website or anything then the less secure it is. It’s certainly very convenient to use the same password for many different systems but what happens if the password is compromised? You have provided the criminal access to ALL of your systems! Using free wireless access in a coffee shop is convenient (and saves your data usage), but it exposes your laptop or mobile phone to a network where criminals might be lurking. It’s often helpful to use public Wifi, but it definitely comes with the price of being less secure.
Other Scenarios to Consider Your Security vs. Convenience
Can you see the tension between security and convenience? Here are a few other examples that you might consider how secure vs. convenient you’d like to be:
- Using cloud applications, such as Dropbox or online banking;
- Using mobile devices such as laptops or tablets;
- Sharing files or passwords among your employees, volunteers, interns, or family;
- Encrypting emails between you and your customers or vendors; and
- Storing/saving passwords in your web browser so you don’t have to type them each time you visit a site.
For each of these and more, each time we choose greater convenience, we sacrifice the data’s security. If you want greater security, then it will certainly be less convenient. I don’t have a simple answer. I am hopeful that you will consider this tension in each data scenario you encounter and make the right decision based upon its proper balance.
Please look for a discussion on implementing layers of security next month.