You are currently viewing Your current approach to cybersecurity creates systemic vulnerabilities

Your current approach to cybersecurity creates systemic vulnerabilities

Verizon recently released its 2022 Data Breach Investigations Report, giving businesses critical insights into the state of cybersecurity around the world. Containing an analysis of more than 23,000 incidents and 5,200 confirmed breaches over 15 years, Verizon attributes the number one motive for cyberattacks to financial gain. Nearly four out of five breaches were attributable to organized crime seeking to extort large sums of ransomware from companies, backed by insurance payments.

Verizon also estimated that there was a 13% increase in ransomware breaches – that’s more than in the past 5 years combined. Additionally, 82% of cyber breaches involved a human element, namely credential theft, phishing, misuse, or just plain error.

SEE ALSO: How FIDO’s approach to authentication reveals confusion between identity and access

Verizon says people continue to play a very important role in incidents and breaches. This year, 18% of clicked phishing emails are also thought to have come directly from a mobile phone, making this a weakness for enterprise security. Verizon says its statistics underscore the importance of having a strong security awareness program.

It is very clear that private companies and public organizations desperately need to change their approach to cybersecurity. Improving security awareness is good, but directly addressing a problem that has persisted unchallenged for nearly two decades is better.

Systemic flaw in access process

The cybersecurity community and the media are widely convinced that the main problem in cybersecurity is people. This is backed up by research such as Verizon’s latest Data Breach Investigation Report, which found that more than 80% of cyberattacks and network breaches can be traced back to human error on credentials, in especially the theft and misuse of credentials.

However, this accusation is misplaced. Imagine if there is a road junction where over 80% of accidents happen and people start blaming the drivers, suggesting that they should be trained to drive better. What needs to change is the junction design, not the people.

Systemic use of weak and reused passwords

In all breaches, humans are always accused of using weak or reused passwords. This problem is actually not the fault of the individual. First, it is impossible to remember hundreds of random passwords like 9f64q3tfAT$Q£532W%. People should never have been put in this situation in the first place. But with no choice in the digital world, they had to resort to easy-to-remember passwords, phrases, or patterns like 123456 to make the process work for them.

Systemic violation of data privacy laws

Weak and reused passwords are not the root cause of breaches. The biggest problem companies face occurs when they allow employees to create their own passwords. When this happens, companies have lost control of their keys, therefore of their data and their network. If it’s “not your keys”, it’s not “your data”. This means companies cannot comply with data privacy laws, which may explain why data breaches are so common these days.

Systemic dismantling of resilience

In addition to losing control of their access, in an attempt to reduce the number of passwords to remember, organizations have adopted single access (Single Sign On, Identity Access Management, Privileged Access Management), without realizing that this automatically removes layers and barriers for criminals, reducing the number of steps needed once they break into their network. After creating a golden pathway for criminals to access, scan and locate the privilege needed to lock down the entire network, they reduced the total time it took from initial ransomware access by 94.34% – from over two months to 3.85 days between 2019 and 2021. In the same process, they compounded the potential negative effect of any data breach by putting all their data in one basket accessible from an administrator or privileged account.

More cybersecurity tools or training won’t solve the problem

Without addressing their access security vulnerabilities, increasing budgets for cybersecurity tools or training will not stop breaches or ransomware. Just like putting more gadgets in a car and giving more driving lessons won’t stop road accidents if the infrastructure is built dangerously. There’s no need to train people in password hygiene when they shouldn’t be creating and knowing company passwords in the first place. There’s no need to educate people about phishing when they can’t give out passwords they don’t know. There’s no need to take down the entire IT infrastructure when you suspect a breach, when every system has a different password, and there’s no single access from which to lock down or steal everything.

A change of mentality

Over the past few years, the number of cyberattacks has increased as cybersecurity budgets have increased, without many wondering why. Despite more than 80% of breaches related to human credentials, the bulk of the cybersecurity budget has been spent on infrastructure and system vulnerabilities, the majority of which remain undetected. But now, the massive fallout risks to the physical world have people demanding a change in the way cybersecurity is done. For example, the National Director of Cybersecurity in the United States, Chris Inglis, recently called on the administration and federal agencies to transform their approach and investment in cybersecurity, as previous efforts have clearly failed. “not worked”.

Why people shouldn’t create their passwords in the first place

Investing billions of dollars in cybersecurity will only work if you can secure your doors. And that starts with not letting their employees control access credentials to corporate infrastructure and assets. When other people create your entire organization’s digital keys, you lose both visibility and control over what happens to them.

Really, passwords are just keys

To regain control of their passwords, organizations must treat passwords for what they are: keys. Just as a new employee starts a new job and receives building and office keys, he or she received digital keys when they started a new job, not their own.

The only difference between physical and digital keys is the absence of physical barriers in the digital world. To steal physical keys, you must be near the keys. Digital keys or passwords can be stolen anywhere in the world.

Encrypt your keys so they can’t be stolen

In the absence of physical barriers to credential theft, the most effective measure to protect keys is to use the secret protection method: cryptography. Companies simply encrypt their access and distribute credentials to all systems to their users in a secure place that only each user can access. This logic solves more than 80% of violations.

Image credit: ArtemisDiana / DepositPhotos

Julia O’Toole is CEO and Founder of MyCena.

Leave a Reply