End users, often viewed by infosec specialists as a corporation’s weakest link, appear to be finally understanding the importance of good security and privacy practices.
Since 2019, more US consumers have taken steps such as using stronger passwords to their home Wi-Fi networks, multi-factor authentication (MFA), blocking or deleting all cookies on their web browsers, and deleting smartphone apps they suspect are collecting too much personal data or don’t protect that data adequately, according to a study [PDF] by Aspen Digital Institute and Consumer Reports.
This is all good news for enterprises that are seeing more of their employees working from home and accessing more applications and data from the cloud and other places outside of their companies’ central datacenters.
“Among the security habits surveyed, consumer privacy and security practices have increased over the years as consumers have made changes to update and protect themselves and their personal information or data,” the report’s authors wrote. “These increases vary depending on each practice. Since 2019, a large number of individuals have adapted the use of multi-factor authentication versus a stagnant change in individuals who use a password manager or virtual private network.”
Consumer Reports surveyed 2,103 adults in the United States via the phone and internet.
The right time of year
The report comes out during National Cybersecurity Awareness Month, a program started in 2004 by the US Cybersecurity and Infrastructure Security Agency (CISA) and National Cybersecurity Alliance (NCA) to put a focus on what individuals can do to protect themselves against cyberthreats.
The report doesn’t drill down on why attitudes are changing for the better, though Bruce Schneier, a Fellow and lecturer at Harvard Kennedy School, wrote in the report that some results – such as consumer suspicions about how companies are handling their data – shouldn’t come as a surprise.
“Surveys consistently demonstrate that people are concerned about their privacy in the face of both governments and corporations,” Schneier wrote. “The reason people don’t often act on those concerns is that they feel powerless. There are often no easy ways people have to protect the privacy of their personal data, nor are there reasonable alternatives to the tech monopolies that make surveillance their business model.”
Dominant companies like Facebook, Google, Twitter, and Amazon long have been suspect for the massive amounts of personal data they collect from their billions of users and how they use that data. As the saying goes, if a company doesn’t charge you for a product, you are the product.
Getting smart about authentication
According to the survey results, US users appear to be getting the message about passwords, often the primary way for authenticating identities despite efforts by Microsoft, Apple, Google, and others to push biometrics and other options. In 2019, 74 percent used a strong password – defined as having at least eight characters and upper and lowercase letters, numbers, and symbols – for their home Wi-Fi networks. Three years later, that number is up to 88 percent.
In addition, 85 percent of vendors now require a password, PIN, or methods like touch or face ID to unlock their smartphones – compared with 69 percent in 2019 – while 77 percent of users use MFA to log into online accounts. That number in 2019 was 50 percent (though at the time the question was about two-factor authentication).
In other areas – using a password manager tool, a VPN, or the “private” or “incognito” feature on their smartphone – consumer use improved slightly but were still at relatively low levels, hovering around the one-third area in some instances.
Wavering confidence about data privacy
However, even with the improvements, a slight majority – 52 percent – of respondents said they were at least somewhat confident that personal data like their Social Security Numbers and health and financial information is private and not distributed without their knowledge.
However, 75 percent said they were at least somewhat concerned about the data companies collect about them and how that data is stored.
According to the report, 33 percent said the federal government bears the most responsibility for protecting their online privacy, about the same as three years ago. However, there was a shift away from companies – 32 percent this year said they were most responsible, while 42 percent in 2019 put it on companies – and toward the consumers themselves. About 25 percent this year said users were primarily responsible, up from 17 percent in 2019.
High-profile attacks driving awareness
Darren Guccione, co-founder and CEO of zero trust software maker Keeper Security, told The Register his company has seen similar growth in security awareness among individuals, noting that the number of people buying their secure password management software last year grew 11.3 percent.
The constant flow of news about high-profile cybersecurity incidents has had the “silver lining” of raising awareness about the need for people to take proactive measures like implementing MFA and strong passwords as well as regularly updating software, according to Guccione.
“As consumer awareness about the critical importance of cybersecurity continues to grow, cutting-edge technologies, such as gesture-based controls and biometrics, and improved user interface design, are unifying security with ease of use,” he said. “This, in effect, has a transformative and positive impact on enterprise-wide adoption, which in turn, improves the overall security of the organization.”
Casey Ellis, founder and CTO at crowdsourced security company Bugcrowd, shared Guccione’s perspective. While cybersecurity has been an issue for a long time, until seven to 10 years ago, most of the awareness efforts came from those in the security field “preaching from the street corner soapbox.”
That has changed. Cybersecurity is now a “dinner-table topic, and anything that is discussed enough times at the dinner table eventually makes its way into the board room,” Ellis told The Register.
“The consistent and ascending cadence of breaches, as well as the increasingly personal and uninsurable nature of the consequences of breaches, are making even the most non-technical consumer aware that cyberspace is an extension of their personal space, and thus the safety and privacy of that space is something that affects them as an individual. I believe the main shift here is that people who think this way are no longer seen as outliers, but as the norm.” ®