Companies are investing heavily in making users alert to the dangers of phishing or other ways that cybercriminals are trying to gain access to corporate assets. At the same time, many companies are also underinvesting in security infrastructure and in updating their tools. Wouldn’t it be better to make sure that IT security is so airtight that users don’t constantly have to be wary of potential breaches?
If you have started at a new company recently, you probably had to take several compulsory courses. About ethics in the workplace, about the internal systems and, most certainly too, about how to make sure you are not the cause of a security breach. That is quite logical: the number of attacks is on the rise and bad actors are using ever more sophisticated ways to trick end-users into clicking on a malicious document or lure them to an infected website. Educating users to recognize which email is trustworthy and which one is not, will certainly help avoid breaches. A lot of companies, these days, are offering tools and courses to raise awareness. However, there are some challenges with that approach.
Passing an exam before you open a bank account?
For starters, educating users is all very well in workforce environments. An employer can impose this awareness training on employees and use tools to test if users are vigilant enough. That is a bit more difficult in vendor/customer relationships. Imagine your bank asking you to take a security awareness course before opening a bank account. Or imagine your bank sending you fake fishing mail to gauge your level of expertise.
Secondly, attacks have turned so sophisticated that it has become increasingly difficult for users to recognize them as such. Users have to be wide awake all the time and never let down their guard. You can compare this to having to take an exam and only passing the exam if you score 10 out of 10. Who can do that? The attackers have an easy job here: they only need one right action to succeed.
Close the door, please!
Information security is very much like securing your own house. If you go outdoors, you make sure that all doors and windows are closed and locked. And you would certainly never let a stranger in and let them wander through your house on their own. If you have children, you also teach them to lock the door. I don’t know about your children, but sometimes I feel like it might be better to have the door lock automatically, rather than trusting my adolescents’ alertness.
That is my point for information security too: why not ensure that the door is securely locked automatically and let the users do the job they were hired for and not turn everyone into a Chief Information Security Officer? After all, the technology to provide airtight security is available and waiting to be implemented. Just think of technology like Multi-factor Authentication (MFA). Users have acquired ample experience using MFA for some of the applications they use in their private lives, for instance, banking applications, renting a holiday home, or making payments in a webshop. There is no reason to assume consumers are reluctant to use MFA in a professional environment. By using MFA – even if employees’ credentials have been stolen through a clever phishing mail – attackers will not get onto your systems. MFA will also help protect you against password reuse and brute force attacks. By using passwordless or even deviceless MFA, or using push notifications rather than mobile authenticators that ask you to key in a pin, you are adding an extra layer of security.
Using data to build a high fence
Using biometrics and behavioral analytics can take it another step further, so you are even more sure that the right person is trying to log in. Having as much information as possible on the user is the way that attackers work: the more they know about a person, the easier for them to pose as that individual and gain access on their behalf. By using progressive profiling on your users, you can increase security. Collect information on devices used, IP addresses, and locations…., and add this information to workflows and policies you impose. As soon as anything happens that does not fit the usual pattern, your Identity and Access Management (IAM) solution will intervene. In that sense, the data you collect is the bricks that you use to put a wall between you and potential attackers.
Information security is an endless journey. By implementing the best possible technology and taking the right measures, you will no longer need to catch up with attackers; you can get one step ahead of them. People are the weakest link in any information security policy, so don’t rely on them, rely on technology. And don’t blame the users if something goes wrong.