IT security teams’ constant balancing between controlling and relaxing access to critical IT resources to mitigate cyber risks accentuates the gulf between organizations’ need to secure information and end-users’ desire for convenient access to it. It would seem that this conflict between security and convenience mirrors Rudyard Kipling’s well-known lament – “Oh, East is East, and West is West, and never the twain shall meet”. A perpetual zero-sum game.
Shedding more light on this issue, the Curve of Convenience report based on a recent regional surveyconducted jointly with F5 Networks and YouGov, showed that 53% of the 3,700-plus respondents across Australia, China, Hong Kong, India, Indonesia, Philippines and Singapore prioritize security features over the functionality and convenience of an app.
The fact that “only slightly more than half of Asia Pacific’s consumers prioritize security over convenience is surprising but it is also understandable because users find it inconvenient to use and remember multiple passwords, two-factor authentication, et cetera, which is unfortunate,” said Mohan Veloo, technology lead for Asia Pacific, China and Japan at F5 Networks.
The study also identified different personalities based on app usage, behavior, and attitudes towards security. In emerging markets such as Indonesia, India and Philippines, the majority of users’ first engagement with digital comes from mobile and their excitement translates into an ‘experience first, security second’ mindset. Meanwhile, consumers from more established markets, such as Australia and Singapore, prioritize security. In Singapore, for instance, 73% of respondents will leave an app that is compromised while in India, only 48% of respondents will do the same.
Hong Kong consumers, on the other hand, are nonchalant about security with only 37% of them willing to stop using an app that is compromised and 47% willing to leave an app that has been breached. Their counterparts in mainland China, however, are highly enlightened, equally prioritizing security and keen to try out new tech.
“A lot of this has to do with the cybersecurity laws in the countries,” observed Veloo. “In Singapore and Australia there’s strict cybersecurity laws and they require businesses to report any data breach. Customers have a right to be informed, especially when their personal information has been stolen.”
One worrying finding though is that millennials, who will make up 50% of the total population in Asia Pacific by 2020,are generally less concerned with potential data security risks even though they are more aware of them. In contrast, Gen Xers and Baby Boomers are more guarded and conservative in their app behavior. Another troubling result is that despite the recent Cambridge Analytica and Localblox debacle over use of personal data and vulnerability to hacks, social networks still remain as the most used app type and the second most trusted app type in the region.
“This study was done during the Cambridge Analytica data scandal,” said Veloo. “Privacy is becoming critical. Online, users don't feel an attack physically but just a couple of clicks on the keyboard can affect them significantly. People also commonly use the same password for work, personal banking and social media accounts because it’s more convenient. Bad actors know this and they’ll go after the least protected to access everything else connected to it.”
IT departments have tried to balance between convenience and security by classifying information assets based on how critical and confidential they are. “For example, to access marketing assets, you don't need a password, unlike financial or HR information,” Veloo elaborated. “You may need more stringent access controls and two-factor authentication or implement context-aware, role-based access controls based on policies for different classes of assets. That’s the enforcement that the IT department can do beyond end-user education. You can run phishing attack drills and dry runs, send a link to everyone as a test, then share results with all managers.”
The study also found that only 20% of respondents cite QR codes and biometric features as important for their app experience while 46% of users in Asia Pacific chose security as the key feature they want in the next five years.
“Some respondents feel that mobile apps are more secure than desktop apps,” said Veloo. “Maybe biometrics – fingerprint and facial scanning – has made it convenient because you don't have to remember a password. But even with biometrics, passwords and other factors of authentication, the key is to make access more convenient. You can also use password managers to manage passwords for all your apps.”
Already, social networks are providing users with a single sign-on option for numerous other applications, from mobile games to e-commerce sites. But this also implies that users are prepared to give up their personal information in exchange for convenience and functionality.
Still, just as education addresses the human element in security, augmented intelligence and automation are increasingly being applied to security to complement human efforts in ensuring security. “First, due to the talent shortage, organizations can’t find enough good people to hire,” said Veloo. “Secondly, you’re going to need machine learning for pattern recognition and application behavior monitoring, especially in detecting abnormal performance or traffic load during a zero-day attack. You’ll be looking at a multitude of parameters. Either the system reacts to it in a split-second or you send an alert to a human to react to it.”
Crucially, applications are now the face of many businesses. But when businesses find the winning formula to balance app security with functionality and convenience, then as Kipling put it, “there is neither East nor West … when two strong men [security and convenience] stand face to face, though they come from the ends of the earth!”
This is a QuestexAsia blog post commissioned by F5 Networks Asia Pacific.