Ransomware has dominated the headlines in the last few months, and with malware taking data hostage across the globe, few could wonder why. No one would argue that ransomware should not be ignored, given that Petya infected an estimated 12,000 machines in one day, and WannaCry shut down hospitals in the United Kingdom.
At the same time, cyberattacks are moving from the realm of single attackers to organized crime and state-sponsored attacks. And Ransomware does not fit into this business model. While WannaCry made international headlines and cost businesses Billions to recover from, only about $150,000 in ransoms were paid. It is the equivalent of breaking your car window to steal the quarters in your cup holder. Compare this to the personal data of 18 Million lost in the OPM breach, or 143 Million in the recent Equifax breach. The social security numbers, addresses, and financial histories exposed in these breaches could be used to obtain loans, perform credit or tax fraud, or be used to take over existing bank accounts and drain them.
As Federal CIOs move to protect their agencies against the malware threat, it’s crucial to not be distracted from the highest value target of them all–identity.
Cybersecurity of the Past: Brute Force
On the face of it, if the goal is to prevent unauthorized access to data, then building a perimeter around sensitive files with firewalls, passwords, and network controls seems like the most reasonable solution. Doubling up on perimeter protections, however, can have the unintended effect of creating conditions conducive to the development of Shadow IT, where employees are moving faster than the pace of the Information Technology group. This results in the risky practice of moving files onto uncontrolled devices or platforms to perform work-related tasks. Ultimately, resourceful employees find ways around policies if they see a more efficient way, which means they are likely to run afoul of government’s ever-mounting regulations.
We in the security industry created this problem by pushing for longer and more complicated passwords. Once accounts started requiring symbols, numbers, capital letters and lowercase letters, employees could no longer remember their passwords. So what did they do? They started writing their passwords on sticky notes on their desks and reusing credentials across multiple services. To adapt, security teams implemented multifactor authentication (MFA), which added a second layer and required employees to carry a physical token everywhere they went. However, when employees have to enter an RSA token ID in addition to their password each time they want to set up a meeting, they will find more convenient methods outside company policies.
Cybersecurity of the Future: User Experience
Instead of continuing to implement stricter rules and increasingly drastic measures, it is up to us to change the paradigm. Bad actors will continue to target identity data, and the best way to safeguard it is to make the owners of that data more involved. Operate on the assumption that if it’s easier to do a task one way – for example to email a sensitive file unencrypted, instead of on Dropbox – employees will do it. In other words, security protocols should adapt to the user and not the other way around. Ideally, employees shouldn’t have to provide passwords at every step in their process if they are on a secure company network through an authorized device.
Administrators can no longer approach compliance as a matter of coercion. Firewalls and passwords will remain, of course, but the cloud has dramatically altered the workflow possibilities for agencies and their users. When we move the security perimeter from the network to the identity, we open up opportunities to simplify the user experience, and make the agency approved software the easiest solution to use. This encourages employees to follow protocols voluntarily, freeing security teams to focus on external threats without the ever-present worry that insiders are compromising their networks. By moving the security perimeter from the network to the identity, the mobile workforce is able to succeed in a safe and secure manner.
Learn more about how improved user identity and access management holds tremendous potential to safeguard data and increase compliance.