It's time to stop blaming the End User and adopt a new security strategy

If you've ever worked in IT before you've probably heard the phrase "PEBKAC"; problem exists between keyboard and chair. We use this phrase as a way to say that the user is at fault without actually saying "You're the problem". Over time I've started to notice that more and more companies are taking the PEBKAC approach with security.


Just recently in a nightmarish PR move Amazon took to blaming customers for reusing passwords for the numerous RING camera hacks. It's no big surprise that people reuse passwords, or that most people use weak passwords; however, Amazon is handling this the completely wrong way. I'd argue most companies are handling this wrong.


To put it simply we need to stop relying on the end-user to "do the right thing". In a recent (2018) study by Bleeping Computer, it was revealed that 86% of people never updated the firmware on their router, 82% never changed the default admin password, and 69% never changed Wi-Fi information. It gets even worse when you read that 34% of those respondents weren't sure how to do any of those things.


In another study, this time by Google, it was revealed that 90% of users don't have 2FA enabled despite 2FA being effective at blocking 100% of automated attacks, 96% of bulk phishing, and 76% of targeted phishing. Google Software engineer Grzegorz Milka explained this in an interview with The Register stating the reason they chose not to implement 2FA as a default is because it would potentially drive too many people away from their service.


Perhaps the most notable instance of "the end-user not doing the right thing" came from the Wannacry destructive malware (not ransomware) campaign. 2 months before Wannacry wreaked havoc on the world Microsoft released a patch (MS17-010). Two years after that fateful day in May of 2017 and the EternalBlue exploit used in Wannacry is still at large. TrendMicro reported about 73 thousand instances EternalBlue and Sophos reported over 4.3 Million. Again I want to stress the fact that Microsoft patched this exact exploit over two years ago. To further expand upon this Sophos reports that 97% of the infected systems were running Windows 7 even though Windows 10 was released 2 years earlier. Windows 10 implemented automated updates built into the OS and because of that most Windows 10 PCs were not affected.


The facts are simple. If we leave the end-user secure things themselves they won't. We as a security culture need to adapt our strategy for security. We can no longer expect the end-user to update their router, apply security patches, or enable 2FA.


In an older study by a SANS STI graduate student Preston Ackerman looks into the adoption rates of 2FA. What he noticed was that when shown how to implement 2FA 87% of people said it was easy to use, yet only 24% of them went on to adopt it. When surveyed about why they did not implement 2FA the most common response (39%) was because they were too busy. The fourth most common response at 10% was they forgot. According to the paper, a Fortune 500 company saw 2FA adoption rates increase to almost 86% after switching to 2FA as a default on with an opt-out process. Mr. Ackerman also states that since users are given the freedom to opt-out they're unlikely to switch service providers; preemptively contradicting Mr. Milka's statements which would come a year later.


Using this study's results we logically assume that the end-user would keep 2FA enabled because it was easy to use, they were too busy to turn it off, and/or they forgot to turn it off. When Windows 10 was announced it was revealed that Microsoft would be taking update control away from the user; instead Windows 10 would only be able to delay update and even then not security updates. While a lot of people reacted to this negatively it was a very good thing. Some routers are also taking away user control over updates. Google Wi-Fi and Ubiquiti both do automated updates now.


This is the mentality we need to take a security community. We need to stop expecting the end-user to do the right thing, and we need to stop blaming them when they don't. Take control away from the end-user and put security at the forefront. To bring everything back to that nightmarish PR Amazon pulled; if they had made 2FA on RING accounts enabled by default with an opt-out instead of an opt-in I'd bet they wouldn't be in the hot water they are currently with that lawsuit for negligence and what not.