Security pros may be finally winning the fight to get users to value security over convenience.
Users' willingness to sacrifice security for convenience has been a long-time frustration for security professionals, but that seems to be changing. Users now rate security as more important than convenience, according to a recent IBM Corp. (NYSE: IBM) study: IBM Security: Future of Identity Study.
Security was particularly important for financial applications, while convenience was still a little bit more important for users of social media applications, according to the report.
Biometric and two-factor authentication are increasingly becoming more popular than traditional passwords, particularly among millennials. These younger ones were more likely to use those types of authentication technology, while older adults practiced better password hygiene, IBM says.
IBM surveyed nearly 4,000 adults worldwide. The study found that biometrics are becoming mainstream, with 67% of respondents comfortable using biometric authentication today. Further, 87% say they'll be comfortable with these technologies in the near future.
Millennials, in particular, are comfortable with biometrics; 75% of respondents between the ages of 20 and 36 are comfortable with biometrics. And they're more likely to be careless about passwords: Fewer than half are using complex passwords, and 41% reuse passwords. Older users are more careful about passwords, but they are less likely to use biometrics and multifactor authentication, IBM says.
"Generational differences that emerged from the survey results showed that younger adults are putting less care into traditional password hygiene but are more likely to layer access with multifactor authentication, use biometrics for speed and convenience, and use password managers to secure their accounts," according to a report signed by Limor Kessem, IBM executive security advisor. "This could be an indication that younger generations have less confidence in passwords to begin with, thus looking to alternative methods to secure their accounts."
Companies that fail to secure data will pay a penalty with millennials, who are more likely to delete an account held by a breached service provider and move to a competing provider, IBM says.
Security beats convenience in all categories of apps, but particularly those where money is at stake: Banking, investing, budgeting, online marketplace and workplace, as well as email. The one exception in the IBM study was social media, where convenience still had a narrow edge over security and privacy. Users are still not awake to the vast and potentially dangerous amount of information about them held by social media platforms, IBM says.
IBM has advice for companies looking to do business with the new generation of more security-conscious users: adopt flexible identity platforms that let users choose between multiple authentication options. And businesses should also take risk-based approaches that balance security and convenience appropriate to the critical nature of the data being accessed.
The shift to security over convenience is a big change from a 2008 Gartner study, which found just the opposite. At that time, respondents said they used the same one or two passwords across online services, and they weren't interested in changing their methods to achieve greater security, Gartner said.
Security vs. convenience is a false choice, notes Cory Doctorow, blogger, technology activist and science fiction writer. It's "extremely inconvenient" to have "your identity stolen or your email published on the web or your baby monitor turned into a spycam," Doctorow writes. It's easier in the long run to exercise good security at the outset "than remediating the damage done from a security breach down the line."
User security is particularly important for cloud applications, which are frequently connected to one another and to on-premises applications, meaning that an attacker breaking into a single account on a single application can leverage that access to attack an entire enterprise. Also, while traditional applications require access to the enterprise's physical premises or WAN, pubic cloud applications are available all over the world, vastly increasing the attack surface. (See Cisco: Attackers 'Weaponize' Cloud Services.
Companies are lagging behind users in prioritizing security; businesses still prioritize expedience over security, at least in mobile, according to a recent Verizon study. (See Verizon Mobility Security Index Shows Enterprises Not Doing Enough.)
IBM published an infographic summing up its findings: The Future of Identity.
- Market Incentives Stacked Against Network Security – US Government Report
- AWS GuardDuty Looks to Lock Down Cloud Security
- 'Spectre' & 'Meltdown' – What Cloud Users Need to Know
- Cloud Security Startup ShiftLeft De-Stealths
— Mitch Wagner Editor, Enterprise Cloud News