In terms of cybersecurity, an organization’s people (users) are frequently identified as potentially the greatest weakness—the enterprise’s security Achilles’ heel. As unpalatable a note this may strike—as if we are not valuing or trusting the very people who make our businesses possible—the cold, hard fact for many organisations is that people do present the biggest security risk. The question is—why? The follow-up question is—what can/should be done about it.
However, there’s another question we must answer first – what do we mean by weakness?
In most IT security scenarios, weakness refers to the tendency to make mistakes. The list of mistakes that could lead to a cybersecurity breach is long and, for the most part, entirely avoidable. With that said, if there is a posterchild for a human mistake-driven breach, it would be a phishing/smishing attack. These social engineering attacks often exploit the victim’s innate desire to be a useful team member.
For instance, a phishing attack may involve a faked message from the ‘CEO’ who is seeking urgent help from that one individual to address an issue or complete a task. The employee’s critical mistake is neglecting to adequately verify the source of the urgent, ‘act now’ message from someone very senior in the organisation. It’s understandable that the mistake happens, we are human, and subject to the stimulus/response cycle. If you’ve never impulse purchased something tasty that was positioned in your eyeline, or fallen for a 3-for-2 offer in a supermarket, then I salute you.
Let’s return to that first question—what causes our people to be a security weakness? Culture is clearly a contributing factor. If your people don’t feel empowered to check on an urgent instruction when it’s unusual, they are simply doing what they’re told is right. That’s rarely the case—most organisations recognise that empowerment is fundamental to success. Great ideas can emerge from any part of the organisation and should have open paths to be explored.
Another area of culture that isn’t readily apparent is how cybersecurity itself is framed within the organisation. In many companies, cybersecurity (or security in general) is considered a necessary evil. The perspective may be that IT security’s role is to dictate controls, however intrusive or cumbersome, to protect the organisation. The controls are mandatory.
Few people respond well to that approach. Thus, most organisations will explain why the controls are important. In the hope that framing the risks the controls help solve will aid in adoption. That said, those controls will often impair the user’s ability to execute on their role, or even their ability to be relaxed and comfortable at work – wherever that may be these days.
This boils down to the cybersecurity team generally being seen as the people who say “No”. I’ve even heard them referred to as the “Work Prevention Team”. This impacts the cybersecurity team’s ability to engage employees. Without that engagement, it’s impossible to get people to join us on the cybersecurity journey.
Better Security Controls with PAM = Safer and more Productive People
How do we turn this around? How do we get engagement?
Counterintuitively, better engagement is achieved through tighter controls and turning the cybersecurity approach upside down for many of us. This application of technology and process with our people will help deliver a more flexible and permissive approach to security, while simultaneously providing a safer environment in which to work.
The foundation of this approach is to remove direct privileged access from all users, to bring their accounts back to the standard user baseline and build up from there. Enabling users to perform specific tasks, rather than trying to prevent a superuser account from doing unauthorised tasks, is far simpler to design and much easier to manage.
Endpoint privilege management tools allow you to implement the Principle of Least Privilege (PoLP) for your users. Allowing users to have only the privilege level needed for their role(s) within the organisation. This can be implemented with broad access and refined over time to be more granular, each progression increasing the control—without impeding the user’s productivity.
Because the user remains a standard user at all times, allowing them to install and run something like iTunes (other music players are available) or some tool/app to improve their working environment becomes possible with little or no risk. Any risk incurred is outweighed by the improvement in productivity and overall benefit to the organisation. The cybersecurity team become the “Yes” group, the “Work enablement Team” and engagement grows.
Access to shared and default privileged accounts can be managed through Privileged Password and Session Management solutions. These tools remove the burden of owning and managing privileged accounts and their passwords from the users, while still allowing controlled access as and when needed.
Automated processes that regularly change and verify the passwords for those accounts help eliminate the risk of brute force and pass-the-hash-type attacks – even when password files are stolen. The ability to initiate sessions directly with target systems using native tools means the passwords themselves are never shared and don’t need to be typed. In that scenario, moving to maximum length and maximum complexity passwords for each target becomes a reality – effectively eliminating the possibility of a password attack.
Lastly, ensuring that all privileged access occurs over secure links not only protects our users and systems, but also moves us a step closer to a Zero Trust environment. This being one of the core tenets of that architecture.
Our users can still be a risk as we look to move toward these approaches, but generally, only when they haven’t been involved in the process from first steps. Communication is key. The earlier you have key users involved, the better. They will become your champions for the change, helping their colleagues see the benefits and helping avoid any unreasonable requirements surfacing along the way.
When we have control, we lower the risk of any successful phishing attack progressing beyond the initial access. When we have control, we can enable and empower our users to actually do more. When we have control, we can reduce their burden of responsibility and deliver a more relaxed work environment.
Our people are our greatest asset. They want to do what’s right for the business and the customer. The right security controls, coupled with effective communication, helps ensure our people can work at their full potential, and full secure in doing so.
Brian Chappell, Chief Security Strategist
Brian has more than 30 years of IT and cybersecurity experience in a career that has spanned system integrators, PC and Software vendors, and high-tech multi-nationals. He has held senior roles in both the vendor and the enterprise space in companies such as Amstrad plc, BBC Television, GlaxoSmithKline, and BeyondTrust. At BeyondTrust, Brian has led Sales Engineering across EMEA and APAC, Product Management globally for Privileged Password Management, and now focuses on security strategy both internally and externally. Brian can also be found speaking at conferences, authoring articles and blog posts, as well as providing expert commentary for the world press.