Improving the User Experience to Address the Human Element of Cybersecurity

Advances in security technology have forced cyber attackers to turn to the weakest link in the security chain – the human element. With 88 percent of security breaches caused by human error, technology teams across the Federal government are searching for ways to address the human side of cybersecurity to keep networks and systems safe while also meeting Federal security mandates.

MeriTalk recently sat down with Zane Bond, director of product management at Keeper Security, to discuss how user experience plays a role in cybersecurity and can help reduce mistakes that lead to security breaches.

MeriTalk: It seems like every week we learn about another security breach on the news. How often does human behavior play a role in security breaches, and how?

Bond: The way bad actors attack agencies and organizations is constantly evolving. They will always try to find the path of least resistance. Back before there were strong network security protocols, cyber attackers would attack the network directly. So, technology teams locked systems down. Then the attackers moved to the endpoints. So those were locked down. As the easy technology target components were eliminated, attackers turned to human-centric attacks through social engineering methods like phishing. In these types of attacks, employees are tricked into either clicking on a link, opening an attachment, or sharing personal information. When the employee falls for the bait, the attackers can get into the network and do their damage. Unfortunately, in today’s world, the human element is the current weak point on the security chain.

MeriTalk: There is a constant battle between technology teams that want to implement strong security protocols and end users who want an easier, better, or simpler user experience. How can agencies create a balance between the two?

Bond: Whenever possible, don’t go for balance. If you make a product too complex to use through increased security protocols, users simply won’t use it. They will find a workaround to get their jobs done, and that shadow IT leads to significantly increased security risks. Meanwhile, the technology team has a false sense of security because they think employees are using the security tool they implemented. Instead of finding a balance, start with focusing on the user experience – technology that will make people’s lives easier. Then, find the security tools to make that happen. Many security products improve the user experience instead of adding additional barriers. With Keeper Security, we looked for user pain points in password security and access. We then built a solution that first improved their experience – which meant they were more likely to use the tool – and then developed the security on the back end. If you find a tool that makes people’s lives easier that just happens to be more secure – you get the best of both worlds.

MeriTalk: How, in fact, can security technology create a better user experience?

Bond: When we implement security, there are mandates and compliance regulations to meet, but if you focus solely on the rules, you may create security features that make tools very difficult to use. When building or implementing any new security technology, it’s always a good idea to do a sanity check. Run through the security protocols yourself to understand the experience from a user perspective. If it’s too difficult for you to use, imagine what it will be like for your users who have to go through those protocols several times a day. Mandates, policies, and compliance regulations inform technology teams that they have to secure systems. How they do that is generally up them. If security is approached from a user perspective, technology teams will have more success in meeting the mandates and compliance requirements because their users will actually use the more secure tools.

MeriTalk: Since the release of the Biden administration’s Executive Order on Improving the Nation’s Cybersecurity, agencies across the Federal government are quickly moving to a zero trust architecture to secure Federal systems and networks. Federal CISO Chris DeRusha reported “tremendous progress” to a House subcommittee. What are the greatest successes you have seen so far, and what pitfalls should technology teams be aware of as they move forward?

Bond: The order and controls around zero trust in the cyber EO really hit the mark. It’s refreshing to see. The cyber EO is good for security and it’s really good policy. Agencies should keep in mind that zero trust is an evolution from previous security practices, which will continue to evolve as technology advances emerge – and as bad actors find new ways to breach systems. Zero trust isn’t a destination. Technology teams will always have to remain vigilant.

MeriTalk: Password security is a component of a zero-trust architecture. What is human-centric password security, and why is it essential securing Federal networks?

Bond: Verizon recently published its 2022 Data Breach Investigations Report, which showed that 66 percent of breaches were caused by compromised credentials, so password security is extremely important in stopping bad actors from getting into your network. A zero-trust architecture is built on the idea that people need to be authorized and validated whenever they access different areas of the network. Human-centric password security is really about ensuring the zero-trust principle of least privilege by monitoring users and their network activities and intervening before suspicious behavior escalates into a full blown breach. Through constant monitoring, technology teams can get a picture of what is normal and what is suspicious behavior. When they see something suspicious, which is usually flagged through alerts, they can contact the person to see what may be going on. Keeper Security reports on hundreds of event types across our ecosystem to support this effort.

MeriTalk: Most people look to technology teams to improve cybersecurity, but securing agency networks and data is everyone’s responsibility. What can government leaders do to shift user mindsets and user behaviors among their employees?

Bond: Because there have been so many high-profile breaches recently, awareness is no longer the problem it used to be. People know cyber attackers are trying to break in. Now it really comes down to identifying potential types of attacks, and then educating teams about those attack methods so they can stay vigilant. Security tools can only get you so far. You have to train people on what to look out for to reduce mistakes that lead to breaches.

MeriTalk: Along those same lines, the Biden administration issued an Executive Order on Transforming the Federal Customer Experience and Service Delivery to Rebuild Trust in Government. While primarily focused on constituent experiences, what elements in that EO can also be applied to government employees to improve their user experience? How can the spirit of the EO be met while also keeping government networks secure?

Bond: To meet the customer experience EO mandates, agencies have to understand service delivery from the customer perspective to learn how to improve it. Implementing security protocols should be handled the same way. Technology teams need to know how easy the tool is to use in practice by testing it out as a user. Understanding how the security tool affects users on a day-to-day basis is really important for the security tool to be effective.

MeriTalk: How does the Keeper Security solution reduce risks associated with the human element of cybersecurity?

Bond: Keeper Security meets stringent zero-trust security protocols on an architectural level – it’s just built in. We address the human element of cybersecurity by making things easier for users. One of our simplest components is logging in and storing credentials. Agencies could have so many security layers that just getting through that front door with your credentials and then accessing the internet to do your job could take a long time. Employees are under deadline, and they just want to get to where they need to go quickly. With Keeper Security, the user simply goes to their vault and chooses what site they want to log into, and we do the rest. Securely stored passwords are auto-filled, making access faster and easier. The user is on their way to a more productive workday. But there’s an enormous amount of security stuff that goes on under that, from validating the website, checking cross-site scripting, checking SSL certifications, checking encryption – stuff that users and technology teams no longer have to worry about. Agencies can have the best of both worlds with the Keeper Security solution – a security tool that improves the user experience.

MeriTalk: How does the Keeper Security platform integrate with other zero-trust security components?

Bond: Integrations are foundational to what we do. We integrate with existing security tools, including single sign-on, Active Directory, multifactor authentication, email verification, and even hardware keys so users can authenticate seamlessly. Through integrations, we are also able to enforce policies that are implemented across the entire environment, helping agencies stay compliant. We like to make things easy for users and also for the tech teams. Because we integrate with tools teams already have in place, there aren’t a lot of new things to learn. Our integrations also mean that implementation is fast. From a deployment perspective, if an agency has an account, employees literally go to the website, click “sign up,” and they are done. Team members could be up and running in five minutes. You don’t have to install appliances or get special approvals.

MeriTalk: What makes the Keeper Security platform different than other solutions on the market?

Keeper Security is the only password manager that is FedRAMP authorized, making it really simple for agencies across the Federal government to implement. We are Americans with Disabilities Act 508 compliant, so people with disabilities can access their files with screen readers. Beyond that, we include zero knowledge in our zero-trust architecture, which I think will eventually be a recommendation or policy from CISA. With zero knowledge, we as the vendor have no knowledge of what is inside a user’s vault. We don’t know what passwords are stored in there, and we don’t know where users are logging in from. If we are ever compromised, user data remains secure. Adding zero knowledge to the zero-trust architecture is really on the forefront of current security thinking. Finally, Keeper Security solutions are just easy to use and easy to deploy.

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.