From the earliest days of the internet, bad actors have found ways to breach security protocols to disrupt operations, steal sensitive information, and even extort money through ransomware attacks.
Cyber attackers have always looked for the path of least resistance when launching an attack. Before there were strong network protocols, they would attack the network directly. When technology teams strengthened network security and locked systems down, attackers moved to the endpoints. Now that those are more secure, bad actors are targeting the next weak link in the security chain – the human element.
They are finding a lucrative target. Research from Stanford University found that 85 percent of security breaches are caused by human error. According to the FBI, $6.9 billion was lost in 2021 alone to scam artists using social engineering tactics, which is when fraudsters use deception to manipulate people into sharing confidential or personal information, such as passwords, that can then be used to break into systems and wreak havoc. A recent investigative report showed that 66 percent of breaches in 2021 were caused by compromised credentials.
Responding to Cyberattacks with Technology
In response to several high profile breaches that disrupted the lives of many Americans, including the Colonial Pipeline attack that caused gas shortages along the East Coast, the Biden administration issued the Executive Order on Improving the Nation’s Cybersecurity (cyber EO) in 2021. The cyber EO mandated several key actions to secure our nation’s systems and data, including adopting a zero trust architecture.
“The order and controls around zero trust in the cyber EO really hit the mark,” said Zane Bond, director of product management at Keeper Security. “The cyber EO is really good policy. However, while there are mandates and compliance regulations to meet, focusing solely on technology implementation ignores the weakest link in the security chain. By not addressing the human element, agencies are still exposed.”
For example, Bond observed, “If you implement a security product that is too complex to use, employees simply won’t use it. They will find a workaround to get their jobs done, which leads to shadow IT – and significantly increased security risks.”
Implementing the technology may help agencies meet the security mandates, but it gives technology teams a false sense of security. “Just because the technology is implemented, doesn’t mean employees are using it,” Bond added.
Approaching Security From the User Perspective
Every time hackers have attacked the weakest link in the security chain, security teams have responded. Firewalls were built and fortified to protect networks, layered security protocols were implemented to stop lateral movement, and endpoints were secured. Following that same playbook, technology teams need to fortify the human element. That starts with understanding how employees work.
Technology teams should ask employees what they need to make their jobs easier. Ask them what frustrates them about the current technology. Focus first on their experience. Then, find the security tools that fit their needs, Bond advised.
“Many security products on the market really do improve the user experience instead of adding additional barriers,” he said. “When you find a tool, test it from the user perspective. If it is simple to use and makes people’s lives easier while also offering increased security, technology teams get the best of both worlds.”
It’s also important to keep up with employee training, Bond advised. Simple awareness is no longer an issue with employees because of all the high-profile breaches – they know the attackers are out there. But because hackers are savvy and always changing their tactics, it’s important to educate employees about the latest attack methods so they can stay vigilant. No employee wants to be the one that lets a hacker into the system. IT teams can help employees do their part in protecting agency networks by training them on what to look out for, which will reduce the risk of mistakes that lead to breaches.
Knowing User Behavior
Knowing how users work is an important element in stopping breaches. Knowing user behavior is another.
“Technology teams need to take a human-centric approach to password security in their fight against cyber attackers,” Bond said. “Human-centric password security is all about ensuring the zero trust principle of least privilege. Know your users and allow access to only what they need. Then constantly monitor them. That way, when suspicious activity occurs, security teams can intervene before the situation escalates.”
If an employee logs in a 2 a.m. for the first time, for example, that is unusual behavior and should be investigated. If an employee downloads materials from an area of the network they don’t normally go to, that should also be investigated. Through constant monitoring, technology teams can get a picture of what is normal and what is suspicious behavior. When they see something suspicious, which is usually flagged through alerts, they can contact the person to see what may be going on.
“Keeper Security reports on hundreds of event types across our ecosystem to support teams with monitoring,” Bond noted. “When teams are alerted to something suspicious, they can call the person. Everything may be fine, or it may be a security issue.”
Happy Users Lead to More Secure Systems
Mandates, policies, and compliance regulations inform technology teams that they have to secure systems. How they do that is generally up them. If security is approached from a user perspective, technology teams will have more success in meeting the mandates and compliance requirements because their users will actually use the security tools. By making users happy and making their jobs easier with user friendly security tools that work for them, not against them, agencies can significantly reduce the risk of a cyberattack and subsequent losses.