“Should I change my password?” “OK, I changed my password, now I’m secure, right?”
Media reports over the past month certainly heightened security awareness and drove the public to sit up, pay attention, and do “something.” What that something is, depends on the guidance people heard, the importance of the service they are using and what it would mean to them personally if the service was compromised.
Is it related to their finances, healthcare, or maybe just some free service designed to simplify their lives?
Perhaps just as important is what people felt they were knowledgeable enough to do, to go and take action. In other words, is the guidance they are receiving something they have the skill to be able to do?
Changing passwords while on the lower-end of the complexity spectrum is a security-based task which people are capable of. Multifactor authentication, password managers, overall good security hygiene – while not rocket science, these are not top-of-mind (or even known) with the average person on the Internet.
Simply put; people want to access a service without complications and like it or not, passwords fit into this basic need.
This is security awareness of the Heartbleed kind – global media warnings driving awareness and prompting people to take action, and in some cases, lack thereof.
Emotions play a big role when people decide to take action. While the security community would much rather address security awareness more effectively, like it or not, events like Heartbleed grab global media attention and some people take notice, and do something within their skillset. Granted some sites forced password changes whether people liked it or not.
Pew Research Center’s Internet & American Life Project posted a recent study and examined Internet users who were aware of the Heartbleed bug, took action, and decided to change their passwords. Pew Research’s does not partake in Internet policy issues or endorse technologies, but rather examine American’s Internet use and how it activities affect their lives.
Between April 23 – 27, Pew Research conducted random research and found that roughly 39% of those polled took action to change their passwords. And of those polled, about 60% had heard something about Heartbleed. Not surprising, the higher the education-level and salary of the person polled, the higher the percentage of those who had heard of Heartbleed.
Critics may argue this poll didn’t reach enough people. Yes, this would make it even more credible if the poll reached millions of Americans. However, polls aside and from personal and professional experience, Heartbleed ranked near the top (second to Target) with the most discussion I’ve had with people outside of security, in my career.
There are always side-bar discussions about whatever the latest security buzz is. But the last 6-months in particular have driven more and more interest in security at the highest levels of the business and among everyday people.
This isn’t how security awareness intended to reach the masses – through security events driven by primetime media only to then break it down to explain to people what this means without FUD.
Since this is the hand we’re dealt, there is an opportunity to capitalize on the discussion momentum with business leaders, employees, and everyday people. Heartbleed allows security teams to take a step back and examine how this handled internally. Even if an organization wasn’t running the vulnerable version of OpenSSL, chances are good employees within the company access third parties who did.
What was the communication plan to the employees internally? What was the communication to your customers and third parties relying on your services? How did the organization monitor access to third parties who may have been vulnerable?
These are just a few questions organizations can use as takeaways from Heartbleed. The events from Heartbleed were at one point an awareness moment for security teams, and then we were prompted to go and do “something” just like everyday people. What was that “something” and how can this be used as a learning experience in communication and incident response as well as keeping the discussion momentum going on security within the business?