The Current State of Consumer Security Hygiene
Consumers need to work on their basic security hygiene, according to a Tenable consumer survey of 2,196 U.S. adults and their personal security practices. Generally, they found that the majority are lacking in their security habits - most don't use two-factor authentication (2FA) and some are not updating their devices in a timely manner. However, nearly all (94%) have heard news stories about security breaches in the last year.
But why should businesses care? Consumers are also employees that are increasingly using their own personal devices to access work applications, data and other resources in order to work flexible hours and from locations outside of the traditional workplace. A lapse in their personal security habits can potentially have a ripple or direct effect on corporate security.
A few of the interesting statistics about consumer security habits from their survey include:
- 25% of participants have implemented two-factor authentication on their devices to protect personal information in the past year (which is closely aligned with Duo Labs’ survey finding of only 28% of Americans that use 2FA in their State of the Auth report)
- 68% avoid opening links and attachments from unsolicited emails or texts
- 53% of Americans use a password to lock their computer and 45% use a PIN passcode to lock their mobile devices
- 19% have implemented biometric authentication on their devices in the past year, despite Apple introducing Touch ID in 2013 and facial recognition technology more recently
- 14% of smartphone users wait more than week (or never) to update apps on their smartphone, and another 13% of computer users wait more than a week to update - as well as 5% that don’t update computer apps at all
These habits all center around authentication, access security and device/endpoint security. As network security shifts from a perimeter-based approach to the more challenging user and endpoint-focused approach, consumer and enterprise security must also follow.
For consumers, they should turn on 2FA everywhere it’s offered and available for implementation - Twitter recently offered the use of third-party authentication apps to generate passcodes (generally considered more secure than SMS) for login verification. Some online banking websites offer advanced authentication, while major online shopping services like Amazon also offer 2FA. iCloud users can and should turn on 2FA to protect access to their device data and cloud backups.
Enterprises can step up access security by enabling more stringent controls for access to more business-critical or sensitive applications and data - for example, requiring the 2FA method of push notifications or a U2F security key for access to applications that house HR or financial data. Identifying and applying different security policies for corporate-owned vs. personal devices can also help reduce risks introduced to company resources.
Another example of an enterprise access security policy is the requirement for a PIN or password on your employee’s personal device - a security basic that only about half of the survey respondents currently practice.
When it comes to updating apps, mobile devices and computers, it’s important to run it as soon as an update becomes available - within 24 hours of receiving a notification. Enterprises can set another endpoint policy to require users to be running the latest version of a browser, plugin or application before granting them access to company resources/networks.
Get the basics behind this policy-driven security model, including:
- Identifying corporate vs. personal devices
- Easily deploying device certificates
- Blocking untrusted endpoints
- Giving users secure access to internal applications
Download Moving Beyond the Perimeter: Part 1 for a primer on the theory, and then read Moving Beyond the Perimeter: Part 2 for technical specifics on how to implement a new enterprise architecture to address new risks beyond the perimeter.