How to Lose Customers with Excessive Security
-
InfoWorld discusses how Too Much Security Can Cost You Customers.
-
I can't tell you how many stupid articles I read on InfoWorld. I've since stopped. While I understand where this guy is coming from, this article is just plain stupid. Comments like:
"My browser's save-password feature helped me log in until the next password change"- You're an idiot. All someone needs to do is access your local PC and boom, Daddy has a new [insert want here].
"In my former bank's case, it uses second-factor authentication (texts, emails, or calls) when you change your password or use a new device to access your account."- Really, is that so difficult.
/rant
-
A lot of banks, including mine, make you do multi-factor authentication on every login, not just to change passwords. This can be a problem, especially when traveling, as the second factor might not be reliable.
-
our family account, which i rarely log into, has SFA, and it NEVER works. terrible.
-
I agree with Denis.
__
Work around the issues as best they can, which can be even riskier — for example, companies can block cloud storage and essentially force users to use less-secure, easily lost USB drives instead to carry data with them.
Use the service much less or not at all, thus reducing productivity or other business benefit for which the underlying service exists in the first place.
__So you're telling me if I block Dropbox and my user copies a file that's sensitive to a flash drive because they want to work on it from a non-secured home PC to a flash drive it's my fault because I've locked down security policy too much? BULL!!! This statement is so blatantly wrong and lacks any kind of understanding about good security policy within an organization it's embarrassing!
-
@Hubtech said:
our family account, which i rarely log into, has SFA, and it NEVER works. terrible.
My bank makes me "verify my computer" every time even though it's been verified and saved as my machine a hundred times. It's useless.
-
@scottalanmiller said:
@Hubtech said:
our family account, which i rarely log into, has SFA, and it NEVER works. terrible.
My bank makes me "verify my computer" every time even though it's been verified and saved as my machine a hundred times. It's useless.
Do you clear your cookies?
-
@thanksaj said:
@scottalanmiller said:
@Hubtech said:
our family account, which i rarely log into, has SFA, and it NEVER works. terrible.
My bank makes me "verify my computer" every time even though it's been verified and saved as my machine a hundred times. It's useless.
Do you clear your cookies?
Whenever I use incognito mode, or clear my cookies, I have to reverify with Chase. If those cookies aren't present, that's why.
-
@thanksaj said:
So you're telling me if I block Dropbox and my user copies a file that's sensitive to a flash drive because they want to work on it from a non-secured home PC to a flash drive it's my fault because I've locked down security policy too much? BULL!!! This statement is so blatantly wrong and lacks any kind of understanding about good security policy within an organization it's embarrassing!
If you block secure options, don't block insecure options and fail to provide good, secure options then yes, totally your fault for causing people to work around security to do their jobs. No different than onerous password policies. It's the ones making the policies triggering bad behaviour in many cases.
-
@thanksaj said:
@scottalanmiller said:
@Hubtech said:
our family account, which i rarely log into, has SFA, and it NEVER works. terrible.
My bank makes me "verify my computer" every time even though it's been verified and saved as my machine a hundred times. It's useless.
Do you clear your cookies?
Nope, never.
-
@thanksaj said:
Whenever I use incognito mode, or clear my cookies, I have to reverify with Chase. If those cookies aren't present, that's why.
I've honestly never used incognito.
-
@scottalanmiller said:
@thanksaj said:
@scottalanmiller said:
@Hubtech said:
our family account, which i rarely log into, has SFA, and it NEVER works. terrible.
My bank makes me "verify my computer" every time even though it's been verified and saved as my machine a hundred times. It's useless.
Do you clear your cookies?
Nope, never.
And you don't have anything like CCleaner or something being run?
-
@thanksaj said:
And you don't have anything like CCleaner or something being run?
Very rarely, nothing scheduled.
-
@scottalanmiller said:
@thanksaj said:
So you're telling me if I block Dropbox and my user copies a file that's sensitive to a flash drive because they want to work on it from a non-secured home PC to a flash drive it's my fault because I've locked down security policy too much? BULL!!! This statement is so blatantly wrong and lacks any kind of understanding about good security policy within an organization it's embarrassing!
If you block secure options, don't block insecure options and fail to provide good, secure options then yes, totally your fault for causing people to work around security to do their jobs. No different than onerous password policies. It's the ones making the policies triggering bad behaviour in many cases.
Exactly. IF someone should have the ability to work from home, and their work computer is a desktop, they need to be provided a company laptop with a VPN connection, and need to be saving their work to a central location, like a NAS or a file server. Blocking cloud storage is often the smart course of action. But if you fail to provide a means for users who SHOULD BE ALLOWED to work from home to work from home, then I agree that users will use a flash drive and that's a huge risk. However, if users want to use a flash drive because they want to work from their personal PC and bypass existing policies, that's an HR issue, not an IT one.
-
@scottalanmiller said:
@thanksaj said:
And you don't have anything like CCleaner or something being run?
Very rarely, nothing scheduled.
Maybe your bank keeps changing the cookie for whatever reason so that it doesn't pick up on the previous one...I know your primary bank is a fairly small institution so anything's possible...
-
@thanksaj you can block USB just as easy as blocking cloud storage. Start by blocking USB, not cloud.
-
@scottalanmiller said:
@thanksaj you can block USB just as easy as blocking cloud storage. Start by blocking USB, not cloud.
Yeah, but if someone has a legitimate need for USB devices at times, then that can be bad. Granted, that's a niche situation, especially in the age of digital delivery and sneakernet is not as prevalent anymore (thought still used some), it shouldn't be as common.
-
@thanksaj said:
@scottalanmiller said:
@thanksaj you can block USB just as easy as blocking cloud storage. Start by blocking USB, not cloud.
Yeah, but if someone has a legitimate need for USB devices at times, then that can be bad. Granted, that's a niche situation, especially in the age of digital delivery and sneakernet is not as prevalent anymore (thought still used some), it shouldn't be as common.
Block USB storage, not USB completely.
-
@scottalanmiller said:
@thanksaj said:
@scottalanmiller said:
@thanksaj you can block USB just as easy as blocking cloud storage. Start by blocking USB, not cloud.
Yeah, but if someone has a legitimate need for USB devices at times, then that can be bad. Granted, that's a niche situation, especially in the age of digital delivery and sneakernet is not as prevalent anymore (thought still used some), it shouldn't be as common.
Block USB storage, not USB completely.
Like I said, there are times that there might be a legitimate need for someone to access a USB storage device. Telling people that copying work files to a USB drive to work from a non-work computer or any other desired policies is an HR issue, not an IT one.
-
@thanksaj said:
Like I said, there are times that there might be a legitimate need for someone to access a USB storage device. Telling people that copying work files to a USB drive to work from a non-work computer or any other desired policies is an HR issue, not an IT one.
So you think it is okay to blanket block cloud storage but not USB? That makes no sense. There is far more likely to be a legitimate need to access cloud storage than USB storage. And it is far less risky to do cloud than USB. Few things are as risky as USB.
Why would you give one the benefit of the doubt and not the other? Why do you feel one is an IT issue and the other an HR issue? Both are equally HR concerns tied to IT capabilities to block.
However, one is modern and sensible to use much of the time. The other is not. One can have corporate controls on it, the other reasonably cannot.
