Human error is a mounting concern in cyber security. Indeed, Verizon’s annual Data Breach Investigation for 2022 found that human error was the main cause of cyber security breaches, accounting for 82 percent of attacks.
Organisations are wising up to the extent of this threat. For example, Gartner estimates that cyber security awareness training will be worth $10 billion by 2027 while a 2021 GOV poll found that 20 percent of UK businesses have tested employees as part of their cyber security education programmes.
Yet is better education enough? With the cost of cyber crime set to hit $10.5 trillion by 2025, the answer is most probably ‘no’. More must be done to mitigate the growing risk of attack.
It’s time to manage identities
In today’s increasingly digitised world, individuals’ digital footprints span numerous devices, applications, tools, and platforms, with each instance generating a unique digital identity. In a work environment, this means that one employee could have dozens of identities linked to them. The same is true for non-humans, including bots. Keeping track of this sprawl is an enormous undertaking, but if it isn’t adequately managed, organisations will face a heightened risk of attack or non-compliance.
Identity Access Management (IAM) enables organisations to mitigate these risks. It breaks down into two interconnected branches, which together govern how users and identities interact with information, tools and applications across internal systems.
The first branch is identity management. An ‘identity’ can be anything from a person, an object or a code that interacts with information. Each should be assigned a level of privilege, and will require authentication to ensure the person or machine behind the identity is who the organisation believes it to be. A robust identity management solution should be able to scale to cope with the proliferation of identities within the organisation, and should make it easy for admins to add and remove identities as people join and leave the company, or as technology is deployed or decommissioned.
Furthermore, each identity will depend on set resources to do their job or complete their tasks. This means organisations need to ensure that only authorised identities can access those files, applications or services. This is the second branch of IAM: access management.
This concept is well illustrated using a school’s infrastructure. Pupils, teachers and administrators all utilise different resources during the school day. Rather than authorise each unique identity individually – a process that is onerous and prone to error – they can be grouped according to their roles, the resources they need to access, and the level of access they need for each resource. For example, while teachers and pupils will need access to teaching materials, administrators and teachers will need to view and/or edit attendance data, report cards, exam results, and more. It makes sense in this set up for certain roles to require access to confidential information that should not be accessed by others. Even though identities overlap, access rights are unique.
While this is a simple use case, the very same principles apply in any organisation. Access management helps create and define groups, allowing the users and bots to access what they need, and nothing more.
Beware of privilege creep
During their employment at a company, users often accumulate privileges. As they progress through a company or are brought onto new projects, they will be granted access to new applications and data sets, often on a short-term basis. The issue here is that it is easy for organisations to lose track of when this access should be revoked, leaving users with access to far more than they need.
Privileged Access Management (PAM) enables organisations to curtail user privileges and ensure the right people have access to the right resources, for the right amount of time. It systematically protects sensitive information, systems and applications, by providing just-in-time (JIT) access, rotating credentials and by monitoring privileged activity. These tools often enforce ‘least privilege’ – limiting access to the bare essentials.
Raising security awareness
While this technology can certainly assist in preventing malicious as well as accidental identity-related security breaches, educating the workforce should nevertheless remain a key component in every organisation’s cyber security strategy. While employees may care about corporate data, they might not be aware of the steps they need to take in order to secure and protect it.
To combat this, companies need to run education programmes that instil individual responsibility. It’s also important to get rid of the negative connotations around popular cyber security concepts such as ‘Zero Trust,’ which comes with the tagline “trust no one, verify everything.” There’s a fine line to tread between usability, security and trust, and it is important not to go too far with surveillance technologies.
Insider threat programmes that focus on monitoring for risky behaviour are a good compromise here. Risky activity – or users – can be identified based on multiple factors, and training programmes can be created that address these specific use cases.
To err is human, but it is important to remember that employees build businesses and contribute to their long-term growth and success. Rather than place the onus on them to be cyber aware – and blame them when things go array – they require education about the risks they could face, and they need to work within a framework where identities are centrally managed and controlled. Then, even if they do make mistakes, their errors won’t expose their employer to any unnecessary risk.