Users Must Take Stronger Role in Information Security

At a roundtable discussion, security pros from Microsoft, Symantec, McAfee and other companies weighed the role of consumers, vendors and online businesses in securing the Internet.

During the past few years, the threat of data being bought, stolen and traded on the Internet has oozed deeper into the consciousness of many Web users. But unpatched computers, out-of-date applications and poor Web surfing practices beg the question of whether users need to take more responsibility for their online safety.

At a June 28 roundtable discussion organized by the National Cyber Security Alliance, security experts from Lockheed Martin, McAfee, Microsoft and other companies discussed the balance between user and corporate accountability in the digital world. Roland Cloutier, chief security officer at business outsourcing solution provider ADP, said a lack of consumer education has led to more unsecure machines, and improving the situation will require a greater understanding by users of the role they need to play.

Many users have a value system online that stresses openness and information sharing, opined Dave Marcus, security research and communications manager for McAfee Avert Labs. However, those same users are often not aware of the interconnectivity of Web 2.0 technologies and websites, and just how much their data is shared, he said.

Compounding this, many users don't stay up-to-date with browsers, applications and operating systems, noted Andrew Cushman, senior director of Trustworthy Computing at Microsoft. Attackers are typically lazy, he said, and there's enough "low hanging fruit" in the form of unpatched or older systems that hackers don't need to target the more secure versions.

According to May browser market share numbers from Net Applications, nearly 19 percent of Web surfers were using Internet Explorer 6 (IE 6), and some 13 percent were using IE 7. About 27 percent are using the most current version of the browser, IE 8, which brought with it a host of protections users who have not upgraded are missing out on.

"There's only so much we can do as technologists and vendors," Marcus said.

Still, businesses need to do their part to keep users safe, participants agreed. Rick Doten, chief scientist for the Center for Cyber Security at Lockheed Martin, noted that in other countries, consumers are more open to having businesses push security onto their machines. In Asia, for example, banks push out protection against keystroke loggers to customers. However, fears of "Big Brother" make that unlikely in the United States, he said.

"In the states we are challenged with that," he said after the meeting.