I fired my bank last week because I got tired of getting entangled in security systems that ensured I would be unable to access my online banking for days at a time, especially when I was traveling. My local branch manager said I was hardly alone in leaving the bank, and it's a good object lesson for what happens when security becomes overkill.
For the last decade, IT has been in a paranoiac state around security, and the result is a lack of perspective on risk assessment and correspondingly crazy security strategies. No one wants to make the wrong call on security — that is, allow a threat to succeed — so instead organizations increasingly decide to make only one call: put everything in the equivalent of a SuperMax prison, which simply institutionalizes a bad strategy.
IT's paranoia isn't driven from within IT only. Governments, businesses, and individuals alike are running increasingly scared about who's spying on them, who's manipulating them, and who's stealing from them. IT is often viewed as the organization to address those fears, the increasingly militarized technology police force.
Our connected, heterogeneous world is wonderful because we can easily move data and activities anywhere. We've gained several orders of magnitude of collaboration, productivity, and location independence thanks to these technologies.
They also make for a wonderful medium for criminals and spies to do the same. The Chinese government, the American NSA, Britain's GCHQ, Russian and Eastern European criminal gangs and corrupt oligarchs, and so on are well-known exploiters of our connected world, as Edward Snowden has revealed. The same goes for companies like Google, Facebook, and the cellular carriers, plus marketing departments in all sort of industries, from media to retail.
As a result, we've had to be smarter and tougher about security measures since so much personal and business information now flows through the Internet (including the cloud), servers, PCs, and mobile devices. Often, we get tougher but not smarter about it.
If people have a less onerous option, they'll take it, as I did with my banking. If they don't have a formal choice, two options await:
- Work around the issues as best they can, which can be even riskier — for example, companies can block cloud storage and essentially force users to use less-secure, easily lost USB drives instead to carry data with them.
- Use the service much less or not at all, thus reducing productivity or other business benefit for which the underlying service exists in the first place.
In my former bank's case, it uses second-factor authentication (texts, emails, or calls) when you change your password or use a new device to access your account. In the online banking system itself, you have to use complex passwords that contain both capital letters, numbers, and special characters in addition to lowercase numbers (a common password requirement these days) — and you have to change them every four months, without reusing any of the previous 10. After four incorrect entries, you are locked out and have to call a representative during West Coast business hours to get unlocked.
I've never had a bank as onerous in its security as this one, a local San Francisco establishment called Sterling Bank. My family and I have banked at Bank of America, Bank of the West, Chase, Umpqua Bank, regional credit unions, and others, and none has had such burdensome security requirements and hassle-heavy recovery methods.
I don't know why Sterling's system is so laborious — its IT group simply cited security, and its branch manager rolled his eyes and said it's driving customers away but IT refuses to reconsider its approach. But I know that every time I was forced to change my password, I got locked out when trying to enter whatever new one I could think of.
My browser's save-password feature helped me log in until the next password change, but it helped me not at all on my mobile devices, where I had to remember the complex passwords, then enter them in on a small keyboard. I learned not to use the mobile banking because most of the time I managed to lock myself out when trying to access it. If I was on the road, as I tended to be when using my mobile device, I had to choose between not doing any banking or risking being locked out, as it was usually hard to find the time to call customer support when traveling — and of course I didn't have any of my bank info with me.
Some security pros will often tell you there are tricks you can use to remember arcane passwords, but they don't scale. (Also, it's questionable whether password complexity does any good anyhow.) User ID and password requirements differ widely, so any pattern-based methods fall short because of this requirement or that. You either keep a master list of all your account IDs and passwords, or you try the likely combinations in hopes of getting it right before you reach the lockout threshold.
The truth is that IT often applies password policies that don't make sense, having bought into the same kinds of magical thinking that users do.
There has to be a better way. Until there is, both IT and business managers need to be smarter about the cost of security relative to the risk. If you are too lax, you have much to lose. But if you are too strict, you also have much to lose. We tend to forget that second truth.