Friday, July 11, 2008

Web browser security - what is an agency's duty of care to customers?

Google recently released a report on web browser security, conducted in June 2008, which found that more than 630 million internet users were not using the most secure version of their chosen web browser.

Mainly this reflected Internet Explorer use - 577 million users were not using the most secure version of the browser - largely represented by those using Internet Explorer 6 (rather than upgrading to IE7, which was released in October 2006).

My agency also still uses Internet Explorer 6 as our default web browser.

Fortunately, as a large organisation. we do not rely on our web browser to provide network security. Our IT professionals employ a series of firewalls and other safeguards to mitigate the risks in using an older and more vulnerable browser.

However the majority of our customers do not have access to this level of IT skills and resources.

Home users either do not use firewalls, or rely on either the basic Windows firewall or one that came with their modem. Sometimes there isn't a robust anti-virus product in use either.

Based on our website statistics, about 27% of visitors still use Internet Explorer 6 and another 3-4% use old versions of other web browsers.

This means that more than 30% of our website users are more vulnerable to security risks than they need to be.

My question is, what is our agency's duty of care towards these people - 0ur customers?

I've identified the following options.
  1. No duty of care - it's a jungle out there, our job is to deliver government services not take on responsibility for the web browser choice of our customers.
  2. Warn - we should actively let people know that they should use the most current version of their web browser to protect their own security, but take no action to enforce the use of current browsers.
  3. Warn and inform - we should both actively warn people and show them visibly when they are not using the most secure version of a web browser, with a path to upgrade if they choose.
  4. Warn, show and take action - we should first warn and then block anyone not using the most secure browser versions, forcing our customers to upgrade.

Which is the best option?
I tend to disregard the first option - doing nothing is a poor solution when customer security is at risk.

The last option, take action, is a dangerous path to walk. For customers accessing our sites from within corporate environments there is generally no option to upgrade their browser. Forcing an upgrade would simply stop the sites being usable for these people - including our own staff (who use IE6).

We currently apply the second option - telling people they should use the most secure web browser, but stopping short of telling them whether they are using the most secure version. The shortcoming here is that many people do not know how to check if their web browser is the most current version, so may place themselves at risk unknowingly.

The third option - warn and inform
The report from Google recommends the third option - both warning the customer about the risk and telling them whether they are using the most secure version - with a path to upgrade if needed.

This approach is the most satisfying for me. It covers the duty of care I feel our agency has and supports customers who are not technically literate.

Which approach does your organisation take, and why?

No comments:

Post a Comment