“A paranoid user is only paranoid because they do not really understand the threat, they only understand an aspect of it.”
To best communicate the security risk of the cloud, we in IT need to bring the risks into the real world. Most IT professionals develop this skill in the first few years of their career, and this should be no different. Let’s say our users use iPhones. Ask a user to take out their iPhone, go to Settings – Privacy – Location Services – System Services – Frequent Locations. What will they see? A record of where they have been, including times and dates! Most users will be shocked, and may feel uncomfortable. Why is this data here? Is it being shared with Apple? For what reason? Who can see this data?
Our private information is being recorded like never before, but that is not necessarily a bad thing. The issue stems when users do not understand the connection between their photos, emails, data, and how (and where) this data is stored and transmitted.
As IT professionals, we understand that at the end of the day, it only takes one vulnerability to open the door to all of our user’s data, and new vulnerabilities are created and exploited daily. So how do we communicate these realities to our users while achieving the following goals?
- We DO NOT want to create paranoid users! Paranoid users do not think rationally.
- We want to create a rational user who understands the cloud enough to take security seriously.
- We do not necessarily need an over-educated user. Chances are we will just bore our users to death and they will not take data security seriously.
Once again, I want to bring IT into the real world with a day-to-day life metaphor: Most users have at least flirted the idea of dieting, if not trying one diet out. It is no secret that most diets are not successful; even if we lose the pounds, they usually come back in under a year’s time. Instead, the best way to manage our health is a lifestyle change where we learn how to eat the best foods that we enjoy and that satiate us while also understanding what triggers us to deviate from eating healthy. We use that education to make the right choices every day but we do not go on a crazy, restrictive diet that makes us cranky and crazed. A crazed dieter is no different from our paranoid users who do not think rationally and are overly reactive to minor threats while ignoring much larger threats. Keep in mind though; a paranoid user is only paranoid because they do not really understand the threat, they only understand an aspect of it.
So, we want to create a healthy well-rounded user. We do not want to scare them (maybe just a little to get their attention) but they need to understand their responsibility. The user needs to understand that any information on their phone is a button click away from transmitting to a server across the globe where they have no ownership of that data. The same is true for any email or file sent to a third-party business or cloud service provider. That does not mean users cannot use these services but they need to be aware of what they are sending. They should assume all of their data can be read by someone it is not intended for, so if they are sending data that is truly confidential then they need to be educated on how to encrypt said data. They need to understand that they are responsible for that data and need to know how to send and upload it properly.
We teach the users to change their workflow to include proper practices and to understand the risks as well as the benefits of the cloud. With proper education, we can make users aware of the correct day-to-day decisions they should make in order to be healthy, confident and secure cloud users.
By: Alex Markowitz