Where Do Companies Go Wrong?
Given that most breaches start with the user (>90%), a good start would be to understand the cyberhealth of both internal and external users. However, most companies focus heavily on non-user based security. They build walls and moats to keep the bad guys out. This is unfortunate, as hackers today no longer have to break into companies; they just log in as the good guy. Times have changed. Hackers already have privileged credentials; billions and billions and billions of them. Many hackers take advantage of these comprised accounts to access and steal sensitive data from organizations. It only takes one, just one; and the exploits begins.
So, if over 90% of breaches are user-derived, then why is there such limited visibility into these threats? Because traditional security approaches and tools were never built to look at the user as its greatest threat; as such, the visibility they don’t provide creates a massive blind-spot for hackers to exploit. Take a look at the Dell breach, for example, that was announced on November 28th, 2018. Dell reported that its customer-facing website was breached. Even though Dell states that it has no evidence that any data was taken, they forced all of its users into a password change. Would Dell need to take such a drastic countermeasure if they really knew who its users are? Because Dell, like so many others, have zero visibility into their users, they can’t tell good from bad.
Dell is obviously not alone. Some of the most noteworthy breaches have involved the exploitation of the user. That is why security must start with the user. Users are a company’s greatest asset, but also its greatest threat. Without a holistic view of a user’s security, breaches will continue to happen. Companies must be able to understand their users better, so they can be smarter in their approach to mitigate any risks. It is not always about adding more layers to authentication, encrypting more data and creating more barriers. The shotgun approach rarely works in security. Sometimes a little user education and a view into a user’s cyberhealth can go a long way. Certain things in this world are inevitable. Good or bad, the choice is to either look the other way or take it head on. Like all things in life, acceptance and preparedness are key. Breaches will happen, just like death and taxes.