Google announced recently that it plans to automatically enroll users in two-factor authentication to improve account security. This change to Google’s default security settings, both monumental and long overdue, is a recognition of what many in cybersecurity have known for years.
“You may not realize it, but passwords are the single biggest threat to your online security—they’re easy to steal, they’re hard to remember, and managing them is tedious,” wrote Mark Risher, Director of Product Management, Identity and User Security, in a blog post announcing the upcoming change.
Perhaps the biggest benefactors of this move are American businesses, which are losing more than $1 billion a year because of the security defaults on their software.
Software companies get to decide which security measures are turned on and, more importantly, which are left off. These become the “defaults,” predetermined settings that take effect unless we change them. Security measures create friction, like entering a code from our phones every time we log in to an account. They are an inconvenience we have come to accept, either because they keep our businesses safe or—as is now the case with Google—because we have no choice. And the stronger the security measure, the greater the friction.
As users, we are averse to the friction created by security measures because it diminishes our product experience. So, to ensure we have a positive experience, software companies often consciously choose to minimize the default security measures—even though they know it makes us more vulnerable to cyber attack and catastrophic financial loss.
Defaults are inherently powerful because they require action to change. We typically deviate from a default only if the benefit clearly outweighs the inconvenience. The power of defaults has been studied extensively over the past two decades, with examples ranging from organ donations to 401(k) contributions to healthy food options. It is clear in each case that we, when presented with a choice, prefer the path of least friction.
With such power, defaults also carry a great deal of responsibility. We assume the security defaults are in our best interest, especially when they are recommended by prominent software companies with strong reputations. We expect a certain level of scrutiny and simply cannot fathom the idea that a software company would intentionally set up their product in a way that puts us in jeopardy. But they do.
One of the clearest examples of this problem is cyber attacks that involve email forwarding rules. Cyber criminals often use the email forwarding rules within an email service to auto-forward incoming emails to an external address they control. The tactic has caught the attention of the FBI due to its growing prevalence. At-Bay estimates American businesses lost $220 million in cyber incidents related to email forwarding in 2020, based on analysis from our portfolio loss data. This type of attack is not especially sophisticated and can easily be prevented by reconfiguring a default mail-flow rule.
In fact, as Google has shown us, email clients already have built-in security controls against most types of cyber attacks: a two-factor authentication control against account takeover and credential abuse just like Google; an attachment filtering control against malware hiding in documents, presentations, or spreadsheets; a link filtering control against links to malicious websites that infect your browser; and even an “impossible travel” control that prevents users logging in from a distant location from the previous login (if traveling there that fast was impossible). Historically, all these controls have been turned off by default, though there is hope change is on the way.
Software companies are not intentionally turning security controls off for cyber criminals to exploit. They are prioritizing user experience over security measures—making decisions in their best interest, not ours—and it is easier to sell a product with minimal friction. However, we are rarely made aware of these trade-offs because software companies have no obligation to disclose them. And when we inevitably experience a cyber attack, software companies are not liable. The onus is on us to actively override the very defaults that make us vulnerable in the first place.
The blind trust we put into software companies has put American businesses at risk for years. (Google’s announcement about two-factor authentication is a step in the right direction, but it isn’t the only company that ought to reconsider its security practices.) And not only is there no accountability, but there is also hardly any regulation in sight.
Software companies must stop the systematic transference of product risk and start enabling strong security measures by default, even if it adds friction. Google has identified the right path forward. They have successfully talked the talk and now must walk the walk. We must, as users, demand more transparency from software companies and hold them to higher standards. Until that time comes, it’s our job to remain diligent and challenge every assumption we make about software settings and security defaults. The health of our businesses depend on it.
Rotem Iram is founder & CEO of the cybersecurity insurance startup At-Bay.