Stop blaming the victims

“Laziness is compromising our online security.” That’s the headline and message of an article by Lee Matthews over at ExtremeTech. Here’s the basic gist of the argument:

Basic security, such as updating web server software, is easy. Most people don’t do it. Therefore, most people are lazy. This is a core cause of the Web’s security woes.

This is a classic case of “blame the victim,” and if anything is lazy here, it’s the thinking. Keeping software up to date isn’t easy. Consider WordPress, which has made things much easier in recent years with its one click update feature. Except, in reality, it’s still not really one click. First you have to logged in to even know that there’s an update available. Then, when you click, you’re encouraged to back up both the database (another one-click operation) and your files (a manual process involving connecting via FTP to your web server). Then, after you update, you might still have to update plugins, and of course you have to check that the update didn’t break anything. As for updating the underlying PHP platform, this is often impossible for a site owner using a shared hosting plan and non-trivial for hosting providers that risk breaking their customers’ PHP applications in the process.

Even when things are easy, people have various reasons for not doing them. Laziness is just one. Maybe updating WordPress is less important to their lives or their businesses right now than other items on their to do lists. Maybe they don’t understand the security implications of not updating WordPress (which could affect how they prioritize it). Maybe they’re overwhelmed by all the things each week that they’re supposed to update: smartphone apps, the operating system, web browser, plugins, etc.

The technology industry still has a long way to go to make technology easy to use securely and to keep secure for users. Most of those users are not tech geeks like the readers of ExtremeTech. And the majority of them, most likely, aren’t lazy.