The leaves starting to turn outside my office window and the small pumpkin on my desk tell me that we’re getting into one of my favorite times of the year: the Halloween season. Halloween is holiday that plays on fears. The American horror writer H.P. Lovecraft calls fear “the oldest and strongest emotion” and fear of the unknown “the oldest and strongest kind of fear”.
Security ultimately is about eliminating fears by making unknown dangers (risks) known. Once we know about risks, we can take steps to address them. We transform them from nebulous fears of the unknown to problems to be managed and mitigated.
So this month, in honor of Halloween, I want to talk about what arguably is the “oldest and strongest” risk to online security and what you can about it.
It may seem odd for a column on social media and online security to call human error the “oldest and strongest” risk rather than something more technical like cookie theft, malware, or account hijacking. But the fact is that technologies and technology-related risks come and go but humans remain the constant throughout. And, because technologies are ultimately tools in the hands of humans, nothing can screw things up worse or more spectacularly than a human being. The simple fact is that no amount of technology-based controls can fully eliminate the risk of human error.
We saw this fact highlighted again in the world of social media in the past week with KitchenAid having to apologize for a political tweet that went out after last week’s Presidential debates. KitchenAid retracted the tweet and apologized quickly, handling the issue well. In their explanation, they said that it happened when an employee mistakenly went out from “the KitchenAid handle instead of a personal handle”.
It’s an episode reminiscent of the Chrysler Twitter misfire in 2011. While Chrysler at first claimed the account had been hacked, they ultimately said it was because a social media channel manager sent to the wrong channel.
The fact that they first claimed it was an online security incident underscores how human error can cause as much if not more harm than what we think of as traditional “security incidents”.
These are just two better known examples. There’s also a host of “security incident” class events that can be attributed ultimately to human error. They run the gamut from decisions that make security controls ineffective (like bad password choices) to bad decisions that put millions of people’s personal information at risk (like sending two more data CDs with the same personal information after the first one was lost in the mail). And in all cases, technology can’t prevent it from happening.
If technology can’t help mitigate this “oldest and strongest” risk, what can you do about it? Since the problem is a human one, the best solutions are human ones. Specifically in terms of how you and your employees look at things and the practices you engage in. There are three simple things you can do can help make human error less common by mitigating circumstances which enable them to happen in the first place.
- Assume things will fail: This is a very simple rule. I think of it as using Murphy’s Law to your benefit. Figure out what the worst that could happen is, and then eliminate that possibility. Going back to our Twitter misfires, my guess is that the people that made those mistakes were using a tool like Tweetdeck that had personal and professional accounts loaded. Following this rule, you would identify that there’s a real chance you could send to the wrong account in that configuration. So, you mitigate the risk by eliminating that possibility by not co-mingling personal and professional accounts. In general, you’ll find that taking some time to identify and eliminate places for possible future error can prevent a lot of things from happening.
- Don’t rush: The Roman Emperor Augustus used to like the phrase “make haste slowly” and that’s a good one to follow. There is probably no single greater contributor to human error at the time of the mistake than rushing. Even in the time-critical world of social media, taking just a few extra moments can help eliminate errors. Look at it this way: the five seconds you save from not checking before hitting post may translate into five days worth of extra, needless work. Invest the five seconds so you can save the five days.
- Create systems of checks and balances and use checklists: Any quick look at high risk fields that have little margin for error shows that a common practice is the use of checks and balances along with checklists. Looking at airplanes, for example, you can see that there’s a whole rigorous, structured process of pre-flight checking using lists covered by more than one person. While a system that rigorous and structured may be overkill for your social media practice, still having a standard checklist (check spelling, check account) and review by other eyes is something worth considering. Human memory can be spotty, especially when under stress. And it’s a well-known fact that we can be truly blind to our own mistakes (“I’ll swear it was set to @Kitchenaidusa”). Here also is where #2 comes into play by allowing time for proper checking. And checklists and checking by others put in place a hard break that makes rushing harder than if you were simply flying by the seat of your pants on your own.
This is not to say that technical aspects of security aren’t important: they are. But no technical security system will ever successfully save you from yourself. When you consider the risks to the security and integrity of your social media properties, you should take time to learn and know the oldest and strongest risk to your properties. Look in the mirror and then take steps to protect your properties from yourself.