Building Security Around Human Vulnerabilities

Written by Benjamin Corll, CISO in Residence, Zscaler.

Why are organizations spending money on cybersecurity solutions when studies show 88% of data breaches are caused by human mistakes?

If you’re a cybersecurity leader you have probably heard some variation of this question from people skeptical of our industry. The implication is that it’s unwise to buy expensive tools and services that merely address 12% of an organization’s security problem. Of course, this view erroneously assumes security measures are exclusively divided between preventing human error and mitigating technical vulnerabilities.

The truth is that human fallibility is a problem for all types of security, not just those in the digital realm. Trusting people can be tricked into opening locked buildings to unwanted visitors. Distracted commuters can leave their vehicles unlocked and running in the driveway as they dash inside to grab their mobile phone. People hand their credit cards to servers at restaurants without knowing anything about their prior history or character. All day, every day, busy people make questionable decisions that potentially expose them to criminal activity.

Yet, we never ask automakers, credit card companies, or homebuilders why they implement security features when human error can easily render them useless. We understand most criminals seek low-hanging fruit, and each layer of security makes it a little more difficult for bad actors to victimize the innocent. Ultimately we’re not aiming for silver-bullet security, we’re just looking for enough protection to dissuade criminals from making an effort.

Which cybersecurity technologies can protect users and organizations in spite of human error? There are many, but here are a few particularly effective ones:

• Multi-factor authentication: Requiring more than a simple username and password for system access is a great first step for improving security. Multi-factor authentication requires users to provide several forms of ID for access. This approach to access control is often described as requiring something you know (credentials), something you have (key fob/phone), and something you are (biometrics).
• User/app segmentation: Traditional network architecture allows users to broadly authenticate to a domain/network. This means when attackers compromise an account, they likewise authenticate to the entire network, potentially affecting everything on it. Segmenting network connections down to a single requestor communicating with one resource limits the amount of damage a compromised account can inflict.
• Zero trust: A zero trust framework is key to keeping users and their environment safe. Zero trust practices include adopting a default deny security posture, using the principle of least privilege, and performing continuous authentication. Most businesses resemble a patchwork of interconnected systems littered with random security checkpoints. A zero trust environment imposes intentional access and is restricted to known actors performing authorized activities.

Cybersecurity, like physical security, is built with the imperfections of humanity in mind. No amount of annual cyber hygiene or phishing awareness training is going to prevent people from making mistakes. Knowing this, we can focus resources on building a security program that takes human fallibility into account and still protects our organization.