When Companies Are the Weak Link
in Cybersecurity: A Call for Change

In an age where cyber threats are increasingly sophisticated, adhering to cybersecurity best practices is more critical than ever. Yet, paradoxically, some companies inadvertently—or even intentionally—make it difficult for users to protect themselves effectively. This not only puts individual users at risk but can also have broader implications for data security and privacy on a global scale. Let's delve into some common ways companies undermine cybersecurity best practices and why it's imperative for them to reconsider these policies.

1. Blocking VPN Usage

Virtual Private Networks (VPNs) are essential tools for safeguarding online privacy, especially when connected to public Wi-Fi networks. VPNs encrypt your internet connection, making it difficult for malicious actors to intercept sensitive information. However, streaming services like Netflix, Hulu, and even some banking apps often block VPN connections. While their primary goal is to enforce geo-restrictions due to licensing agreements, this practice punishes users who employ VPNs for legitimate security reasons.

The Problem: By blocking VPNs outright, these companies force users to choose between accessing their services and maintaining optimal security. This is a false dichotomy that shouldn't exist.

A Better Approach: Instead of blanket bans, companies could implement more nuanced solutions like verifying user accounts through additional authentication methods, thus allowing VPN users to access services without compromising security.

2. Imposing Arbitrary Password Limitations

Strong passwords are a cornerstone of personal cybersecurity. They should be long, complex, and unique for each account. However, some websites impose arbitrary limits on password length and complexity—sometimes capping passwords at as few as 8 or 10 characters.

The Problem: Short passwords are exponentially easier to crack using brute-force methods. Moreover, if a website silently truncates a longer password without informing the user, it creates a false sense of security. Users might think they have a strong 20-character password when, in reality, only the first 8 characters are stored and required for authentication.

A Better Approach: Websites should allow for longer passwords and inform users of any limitations upfront. Better yet, they should remove unnecessary restrictions altogether and encourage the use of passphrases or complex passwords generated by password managers.

3. Disabling Paste Functionality for Password Fields

Password managers are highly recommended by cybersecurity experts as they generate and store complex passwords securely. However, some websites disable the ability to paste into password fields, ostensibly to prevent password pasting from insecure sources.

The Problem: Disabling paste functionality discourages the use of password managers and forces users to manually type in complex passwords, increasing the likelihood of errors and the temptation to use simpler passwords. Additionally, manual entry exposes users to keyloggers—a type of malware that records keystrokes.

A Better Approach: Instead of disabling paste functions, websites should encourage the use of password managers. They could implement additional security measures like two-factor authentication (2FA) to enhance security without inconveniencing the user.

4. Limiting Advanced Authentication Methods

Advanced authentication methods like hardware security keys and passkeys offer robust protection against phishing and unauthorized access. Unfortunately, many companies either don't support these methods or undermine their effectiveness by requiring less secure backup options—such as SMS-based authentication or authenticator apps—that users cannot disable.

The Problem: Even if you diligently use a hardware security key every time, mandatory backup methods create vulnerabilities. For instance, SMS-based 2FA is susceptible to SIM swapping and phishing attacks. Similarly, authenticator apps, while more secure than SMS, still represent an additional attack vector. It's akin to having a fortified front door while leaving the back door unlocked. The existence of these less secure backups can be exploited, negating the benefits of using stronger authentication methods.

Counterarguments and Rebuttal: Some might argue that having an authenticator app as a backup doesn't weaken security, as long as the hardware key is used consistently. However, the mere presence of a less secure backup means that attackers have an alternative route to compromise an account. Security isn't just about daily practices but also about eliminating potential weaknesses.

Underlying Issues: Companies may fear that allowing users to rely solely on hardware keys will lead to increased support calls from those who lose their keys and get locked out of their accounts. While this is a valid concern, it shouldn't override the user's choice to opt for maximum security.

A Better Approach: Companies should support advanced authentication methods without forcing users to enable less secure backups. They should provide clear disclaimers about the risks of losing a hardware key and let users decide the level of security they are comfortable with. Additionally, offering secure recovery options—like backup hardware keys or recovery codes stored in a secure location—can mitigate the risk of account lockout without compromising overall security.

5. Neglecting Security Updates and Transparency

Some companies fail to promptly update their software or inform users about security breaches and vulnerabilities.

The Problem: Delayed updates leave users exposed to known threats. Lack of transparency erodes trust and prevents users from taking proactive measures to protect themselves.

A Better Approach: Companies should prioritize timely security updates and maintain open communication with their users about potential risks and how they are being mitigated.

Conclusion

Cybersecurity is a shared responsibility between users and companies. While users must take proactive steps to protect themselves, companies have an obligation to facilitate—not hinder—these efforts. Companies need to prioritize user security, not convenience. Until they do, they are as much a part of the cybersecurity problem as any hacker. By reevaluating policies that undermine best practices, companies can enhance overall security, build trust with their users, and contribute to a safer digital environment for everyone.

Call to Action: If you encounter companies implementing these counterproductive measures, consider reaching out to their customer support to express your concerns. Advocacy for better security practices can drive change and help create a more secure online community.

---

Related Articles

• Protecting trade secrets in the context of digital espionage
• The Dangers Of Public Wi-Fi And How To Stay Safe
• Cybersecurity Analysis: How to implement security controls for mobile applications