Editor’s note: The following is a guest article from Kapil Raina, identity protection evangelist at CrowdStrike.
It is likely that in your effort to safeguard your company’s network, data and people, you are forgetting one huge variable in your identity protection strategy: human nature.
By failing to account for human behavior in planning and deployment, businesses unknowingly create security gaps that hackers can exploit.
With 80% of security breaches leveraging identity-based attacks, organizations are now focusing their attention on protection of user and machine credentials, as well as the identity infrastructure (eg. Active Directory) itself.
Adversaries use stolen credentials to bypass defenses and masquerade as legitimate users. When identities are compromised, enterprises are exposed to threats that range from ransomware to the theft of personally identifiable information of employees and customers.
It is great to see organizations giving identity protection the attention it deserves. However, one area they need to face head-on is the clash between the complexities of identity protection and the human need to “make things simple.”
Organizations must strike a delicate balance between maximizing end-user protection and minimizing the security-related obstacles employees need to navigate in their day-to-day work.
Let’s take a look at how many times a person needs to establish their identity in a typical work day.
- First, you need to log on to your computer.
- Second, assuming you are working remotely, you will need to establish your identity to a VPN, which likely requires a multifactor authentication (MFA) step.
- If you have a single-sign-on (SSO), you will also need to go through a process similar to the VPN.
Remember, this is a typical use case.
Now, imagine if you don’t have SSO and need to log in to individual apps and databases. The number of password or MFA challenges (and associated business rules for triggering them) can be overwhelming.
By having workers go through multiple steps just to do their work, it is no surprise that people will often use the same credentials across multiple accounts to make things easier for themselves. It’s just human nature. And constantly forcing MFA can lead to “MFA fatigue,” a scenario in which the legitimate user blindly accepts all MFA challenges without looking at the details.
In this case, an adversary compromises a legitimate credential and then, when the system challenges the actual user, the user accepts the challenge blindly. This enables the adversary to continue the attack — and bypass MFA controls.
The human inclination to keep things simple can quickly become a serious security risk for enterprises, especially with hackers stepping up their “credential stuffing” efforts.
Hackers will use social engineering and phishing techniques to obtain people’s credentials and then use the stolen identities to penetrate corporate networks. And this attack surface can extend to an organization's entire supply chain — leaving many opportunities for an adversary to succeed.
Reexamine identity security with a human eye
As organizations invest in cybersecurity, an increasingly complex security stack can create several touchpoints where identities can be compromised due to human nature.
Here are a few key things security teams should keep in mind when designing an identity threat protection strategy that prioritizes security without sacrificing user experience:
Understand how workers interact with your systems
Are your workers going through unnecessary steps to access corporate resources they need to do their jobs? What is their technical expertise and access to support (office staff, field operations, factory operations, etc.)?
By reducing security hurdles employees must take, organizations enable them to more efficiently and securely do their jobs. This also reduces the temptation for employees to use risky, unauthorized workarounds.
Reduce security complexity
Employing simple policies and risk-based access controls can greatly enhance the user experience.
For example, solutions such as risk-based conditional access and adaptive authentication can adjust to a user’s risk profile without interrupting their workflow.
If a user’s normal behavior changes — for example, they begin to move systems or data — their risk profile rises, and they can be challenged to validate their identity.
If the person passes the challenge, then their risk profile can be readjusted without creating an additional burden for the security team.
Consider using a unified security platform
Taking a platform approach can help protect your company’s network and resources with continuous risk-based verification of user access. This includes contractors, partners and vendors from managed and unmanaged endpoints, and extends protection across on-premises, cloud and legacy applications.
By automatically creating and correlating contextual risk-based information from all entities, you can easily enable secure access to your workforce without compromising productivity and reduce the attack surface by preventing lateral movement across the network.
Cybersecurity has historically been seen as an obstacle to user experience. Now, with people working remotely more than ever, it’s time for IT and security teams to accept the user experience has become an integral part of their cybersecurity strategy.