Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Cyberpsychology: Turning Your Weakest Link into a Strength

August 2, 2016

  • Blog
  • Archive
CyberpsychologyWhen talking to many people about cyber security you will encounter a common expectation; that the technology alone will solve their security issues. It’s not always overt in the conversation but it’s always lurking in the expectations to a greater or lesser degree. Cyber security is, however, the same as any process within an organization today, it’s a combination of technology and people. We regularly hear about the insider threat (which also forms a part of a lot of the external threat vectors) and what a significant risk this is. There are technology-based solutions and process best practices that can be implemented to limit this risk but these do not address a key part of the concern, the people. Our people are part of the problem but they are also part of the solution and we should never lose sight of that. Anyone who’s ever made an impulse purchase in the supermarket knows that, as human beings, we are vulnerable to manipulation and despite our best efforts we may sometimes fall foul of these. So, our people are our weakest link but do they have to continue to be so? No, and as you may guess the answer is a mixture of technology and people. Technology is easy, to start with there are 4 layers to consider:
  • Least Privilege
  • Privileged Access Management
  • Vulnerability Management
  • System Configuration
Starting from the bottom, good system configurations will build a solid foundation on which you can layer tooling and processes. If you aren’t using known good, secure base builds for your workstations and servers then you are doing yourself a disservice. Stop and go work on that now. Once we have a secure foundation we need to make sure that we know of any weaknesses that have been identified in the materials, effective vulnerability management is essential there. Knowing what needs fixing first and how to fix it should be your primary concerns here. By reducing the vulnerabilities, we reduce the opportunity for the hacker to exploit the user when they open that email attachment. Next is privileged access management, getting control over who is accessing systems using privileged accounts, when and how helps reduce the risk introduced by the people using them. Preventing users from storing passwords on their system, on their desk, etc. or having the same password across many accounts helps limit the opportunity for exploits. Changing the passwords on privileged accounts every time they are used and having different passwords for every account on every machine reduces the people-risk dramatically. Implementing least privilege management is the icing on the cake. Eliminating any direct access to privilege for day-to-day activity means the opportunity for the insider threat is minimized. Your people are restricted to the privileges they need at a very granular level. It’s possible to have everyone on your network operating with a single, standard user account but still able to do what they need to be productive… even the admins. That’s a lot of technology but with each of those technologies comes change and that’s our first people issue. People don’t like change and they will rail against it. We need to help them understand the need for the change and how it will help them in the long run. A more constrained environment makes it easier to manage and know where remaining risks are but also it reduces the burden of responsibility on the people using them. If you are logged into a system as the administrator then you have a huge responsibility, not only to not open email attachments from people you don’t know (and those that you do) but also not to make mistakes. That level of access often comes with additional administrative overheads, training courses, certifications, re-certifications, etc. If that’s removed then the people have less of that to distract them from their actual work, a safer workplace is a more productive one. When engaging our people to join us as part of the cyber security solution for our organization, we need to ensure we are applying the right Cyberpsychology and putting concerns in the appropriate language and at an appropriate level of concern. We shouldn’t look to terrify our people, that will lead to greater risk not less. People under stress are more likely to make mistakes and that’s the last thing we want. We also don’t want complacency, we want that difficult middle ground and the only way to get that is to get the people involved (or at least key representatives from our people). Our people are key stakeholders in the on-going success of the organisation, particularly in cyber security or, to put it another way, Business Continuity. So get them involved early, change is easier if you are part of the decision making process. Keep your people informed throughout the process of change, regularly, inclusively and listen to their input. Where their input can’t be adopted or isn’t appropriate then take the time to explain, in person and work through the reasons. A simple ‘no’ isn’t going to engender the kind of engagement you need to make the process a success. Just as cyber security isn’t a point-in-time activity neither is the engagement of your people, keep them involved, keep them informed and your biggest weakness will become your biggest strength. Editors note: This post was originally posted July 27, 2016 on Security News Desk.

Brian Chappell

Director, Product Management

Brian has more than 25 years of IT and cybersecurity experience in a career that has spanned niche system integrators, PC and Software vendors, and high-tech multi-nationals. He has held senior roles in both the vendor and the enterprise space in companies such as Amstrad plc, BBC Television, GlaxoSmithKline, and BeyondTrust. At BeyondTrust, Brian leads the Product Management of the flagship Password Safe product globally, ensuring the delivery of a world-class, industry-leading Privileged Password and Session Management solution. Brian can also be found speaking at conferences, authoring articles and blog posts, as well as providing expert commentary for the world press.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.