In the 2016 movie Ready Player One, humans live in the real world, but work and play in the virtual one, much like the world today. They earn money in the virtual world that can be used to shop for real-world items, all via virtual reality (VR) headsets, or for the well-to-do, a full-body VR station like a massage chair.
Near the climax of the movie, the protagonist aims to hack the antagonist’s VR station, which is “fixed, but very hard to break into”. However, he succeeds by noticing a post-it stuck to the edge of the chair, containing the password of the antagonist’s user account. Just like that, the system is breached, and our heroes are able to get vital information.
Although the movie was set in the year 2045, cybersecurity hygiene may just as well come from the year 2022. More than half (56%) of all cybersecurity breaches are due to human negligence, according to tech giant Cisco.
This kind of crime is not new. Miles Hutchinson, chief information security officer of identity company Jumio, says humans have been defrauding humans for centuries, and cybercrime is just “the modern flavour of it”.
The key difference is that people can execute it quicker than before. “They can adapt their attacks according to the societal situation that we’re in faster, with the aim of getting a reaction from people far quicker than before,” he explains.
Cybersecurity has taken centre stage with the pandemic, with experts, academics and even whole companies advocating for businesses and individuals to secure their systems, be it with end-to-end encryption, password managers, or multi-factor authentication.
While these are all valid strategies, they overlook one major factor, namely, the human. Many of us are guilty of setting easy passwords or those that are some variations of the username. According to password manager Nord-pass, the most common passwords users set last year were “123456”, “qwerty” and “00000”, all of which can be cracked in under one second.
Moreover, passwordless authentication platform provider Beyond Identity found that 34% of employees write passwords on notes and sheets, while 26% keep them in a document on their computers. This means that if you come across an unattended computer, you stand a one-in-three chance of accessing it without even going through any cybersecurity.
Trust no one or device
So, is the failure point the human instead of the cybersecurity system? It may be a combination of both, especially with the rise of hybrid or remote work arrangements.
“[As organisations embrace hybrid work,] employees need to connect from anywhere on managed and unmanaged devices, over secured and unsecured networks, to applications in multiple clouds,” Jeetu Patel, Cisco’s executive vice president and general manager for security and collaboration, tells The Edge Singapore.
He adds that homes are the new “microbranch” of the office, where everyone is now a part-time security and network administrator.
To address this wide-ranging network that extends beyond a physical office building, Cisco is seeing customers moving towards a unified architecture for security and networking. Patel also highlights that “by fusing these capabilities together, we can reduce the complexity for operations teams and give them the agility they need to deal with changing work patterns and requirements”.
One way of doing so is to adopt zero trust, which Patel explains is treating every user and every device with the same stringent levels of security control. “Provide the least-privilege access model. Everyone must go through the same checks, no matter who they are or where they are,” he says.
Putting it simply, the concept of zero trust is akin to a security guard at an office refusing entry to anyone, even the CEO of the company who he recognises and has been there for 20 years, unless he has a valid office pass.
But unlike a security guard who only conducts checks at the entrance, Patel advises organisations to be more skilled at personalising access to information and resources, as well as gain an understanding of what people are doing with that access once it is granted. “It’s not enough to verify the user and assess risk pre-login. We’re seeing customers start to continually assess risk and detect behaviour post-login, and alter or revoke access as needed,” he says.
To stay ahead of the latest tech trends, click here for DigitalEdge Section
Patel puts forward a hypothetical scenario: “Imagine an employee who logs in on a Mac from a home office and she wants to go on Salesforce to look at all the customer records. Since this is a very normal scenario, we should allow her to do that.”
He adds: “[But what if she’s no longer] in the same location? For instance, she’s in a coffee shop, connecting from a different laptop than her usual Mac on an unsecured network, and she’s trying to download six million customer records. That’s probably not the way that she typically behaves.”
Cisco’s solutions, he says, will detect such anomalies in real-time and intercept them so that someone pretending to be that employee cannot steal those customer records.
“This whole construct of continuous trusted access is where you’re granting trusted answers based on the behaviour that the user exudes on a continuous basis rather than just in one instance,” he notes.
Going back to human negligence, Patel explains that the reason for human negligence is an issue created due to two factors. The first is the sophistication of the attacks, but another is the complexity of security solutions that have created a tremendous amount of friction for the user.
Cisco observes that when organisations lower the friction for the user, the efficacy of security systems tends to skyrocket. Nick Biasini, head of outreach at Cisco Talos — which is Cisco’s threat intelligence organisation — says that security measures should be calibrated to the sensitivity of the information that it is supposed to protect.
He gives the example of multi-factor authentication (MFA), a popular measure that requires multiple methods of authentication from independent categories of credentials.
To reduce “friction”, Biasini recalls an event where a chief information security officer (Ciso) brought up the idea of using social media plug-ins — such as a Facebook or Google account — for authentication when users log in to a non-sensitive work account.
While many dismissed it, a Ciso working for a large restaurant chain reaffirmed that as workable, saying, “Ninety percent of the calls I get are for requests to reset passwords. These users are typically young — [while they may not remember their passwords for their work accounts,] they’re never going to forget their social media password.”
Biasini adds that by using social media accounts as the authenticator, it allows them to continue to work and be successful at their job. Even if those accounts get compromised, the attackers will not have access to a lot of sensitive information. “[In cybersecurity, we tend to] make things very complex, out of necessity. However, we may not realise that not every user in the organisation needs to have that level of complexity,” he says.
Getting buy-in through user education
Educating users on the “why” aspect is also important. There is a huge knowledge gap between the IT team and the other employees, Biasini says, explaining that in most organisations, “you have people who are extremely knowledgeable about technology but [also those with] very little technical understanding and experience”.
To the knowledgeable IT team, some processes or actions may seem intuitive, but for someone who does not understand the rationale for MFA or a push-to-device login, there will be no buy-in from them. This creates friction as those users will simply go through the motions, like setting a complicated password, but writing it down on a post-it, defeating the purpose.
Jumio’s Hutchinson believes that the cybersecurity model is now beyond the IT team, adding that businesses are operating in a more digitised environment.
“If you’re in the business of handling customer data, your sales team need to understand security. Likewise, if you’re in the business of processing transactions, your finance team needs to know about cybersecurity too,” Hutchinson adds.
“[Businesses without an organisation-wide cybersecurity culture] runs the risk of having a security issue at some point in time, probably sooner rather than later,” he says.
Cisco’s Biasini adds: “Spending the time on your users is going to pay you massive dividends down the road, either in preventing a breach from occurring or allowing them to potentially notify you because they know that something weird is going on. Maybe they won’t be afraid to contact security if they notice something strange on their computer, because they understand why we’re doing the things that we’re doing.”