Building cyber security by controlling access

Julia O’Toole at MyCena Security Solutions explains why it is essential for business leaders to be in control of their data

 

“Employees are the weakest link in cyber-security”. You hear this statement every day in the cyber-world. It basically means that insecure actions taken by employees are the leading cause of cyber-breaches.

 

But is it fair?

 

In the physical world, employees rightfully expect to work in a safe environment, set by industry standards and regulations for buildings, factories and lifts. However, when extending the workplace to the digital world, this expectation has been forgotten.

 

The pivotal moment was when companies started letting their employees make their work passwords to access their digital systems and data. In this process, the responsibility of security in the workplace went from the employer to their employees. As a result, organisations lost control over the fate of their own access and by extension, of their own data.

 

A boon for criminals

For criminals, that switch was a boon. With every employee, from contractor to cleaner, holding the passwords to access their networks, their surface of attack was immense and made every employee a prime target for cyber-attacks. Having so many people to steal from, attackers no longer needed to hack in. In over 82% of breaches, they find someone’s keys to log in.

 

However, who do you think should take the blame for the breach? The employees for getting their passwords stolen? Or the employer for letting employees make the keys to their business?

 

No training can make the workplace safe

Employees can argue it is their organisation’s responsibility to provide them with security in the workplace. However, this is impossible since organisations lost control of their access and depend on no one making a mistake.

 

With the odds set against the organisation, all the annual awareness training, phishing training and password policies training deliver little result. New AI generated phishing content that can mimic peoples’ voice, image, behaviour, tone. Using tools like ChatGTP will make it even more difficult to distinguish between legitimate and phishing emails.

 

Unsafe workplaces impact employees’ personal life

Employees can also argue they are not paid to work in security yet carry the mental burden of creating and remembering passwords, and the stress of getting fired if they make a password error or fall victim of a phishing attack.

 

They also carry the risk, since most people use the same or similar passwords for work and personal accounts, that a password phished at work leads to identity theft and personal financial loss.

 

Corporate cyber-security: from bad to worse

With over 4 out of 5 breaches caused by human errors, many organisations have turned to tools such as Single Sign-On, Identity Access Management or Privileged Access Management Tools to ease the mental load on employees.

 

However, these tools don’t save them from human errors, as companies still don’t control their own access.  In fact, with master passwords being just as easy to steal, they simply increase the odds of losing everything for the company.

 

If an attacker finds just one login and password, they can move laterally, find privileged access or admin credentials, control the whole network, infect the supply-chain, steal sensitive information, create new logins to sell on the Dark Web and launch ransomware attacks, all in a matter of hours.

 

Unsustainable supply chain risk

Because supply chains are all interconnected, one stolen credential in one company can have ripple effects throughout the supply chain. So, the more people you have in your network, the higher the chances of an incident bringing everything down.

 

This makes the single access model mathematically unsustainable. Imagine a nuclear plant using single access. Every update or data transfer in the supply chain would trigger the risk of a catastrophic scenario, since no segmentation of access was built-in. That risk would be unacceptable.

 

Detection tools miss most breaches

To prevent breaches, organisations have also implemented tools such as threat monitoring and detection solutions. However, these tools don’t recognise valid credentials as a threat, therefore miss over 82% of breaches where criminals log in. And of the remaining 18% of breaches, only a third ever gets detected as new threats continually emerge.

 

That means those tools effectively miss over 94% of breaches, a massive blind spot! That explains why despite huge cyber-security spendings, companies keep getting breached and cybercrime is now the world’s third largest economy.

 

Take back access control

To take back control of their access, organisations need to removing passwords from employees’ hands. That removes their exposure to human error in credentials manipulation.

 

This is possible if you think of passwords as digital keys. No one needs to know the grooves of the keys to a house, an office, a car. Organisations can use tools to generate strong independent passwords that are impossible to break, centrally from a console and distribute them out to their employees encrypted, so that no one ever sees or knows them. Being data, they can stay encrypted from end to end and all the user needs to do is find the right password and use it.

 

On top of removing a huge burden from employees ‘shoulders, this way of doing cybersecurity also provides employees with a safer place to work, where they can focus on their jobs without the mental stress of keeping passwords in their heads and the stigma of being called security’s weakest link.

 

No ransomware with access segmentation

The other benefit of not knowing passwords is organisations can use as many as needed across the entire network. This reinstates internal digital doors and stops attackers from travelling across the network after a breach, therefore limiting the damage they can cause to an organisation and its supply-chain.

 

---

 

Julia O’Toole is CEO of MyCena Security Solutions

 

Main image courtesy of iStockPhoto.com