The paradox of irresponsible responsibility

This article got me thinking: People's ignorance of online privacy puts employers at risk - Network World

There is an interesting paradox for security folks. On the one hand, almost two thirds of people feel that security is a matter of personal responsibility. On the other hand, few are actually doing very much to protect themselves.

In the workplace we see this manifest in the BYOD (bring your own device) trend. Workers want to use their own phones, tablets, and often laptops. Because it is their personal device, they don’t think the company has any business telling them how to secure it, or what they can or can’t do with it. Yet they want to be able to work with the company’s documents and intellectual property, and access company sensitive networks from that device.

When that trend intersects with the poor real-world security practiced by most people, the security perimeter of businesses just got both larger and weaker.

Realistically, it is too much to expect that users will be able to fully secure their devices, or that security professionals will be able to do it for them. The productivity impact of locking users out of the devices they use (whether BYOD or company provided) is often too high, especially in the case of technical workers. Spear Phishing attacks eventually penetrate a very high fraction of targets, even against very sophisticated users. How then can we expect average, or below average, users to catch them, and catch them all.

Increasing use of sandboxing and virtualization is allowing a change in the security model. Rather than assuming the user will detect attacks, the attack is encapsulated in a very small environment where it can do little or no damage, and from which it is quickly eliminated and prevented from spreading. The trick will be to get people to actually use these tools on their own devices.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.