Request demo
February 9, 2021

In Defense of the “Dumb User” – Are Security Solutions too Complex?

Despite the best efforts of security providers and users, data breaches continue to proliferate, with 37 billion records exposed in data breaches in 2020, a 141% increase over 2019. And each time there’s a breach, we go through the same process of trying to figure out who’s to blame.

Was it an IT admin, who configured a piece of software incorrectly? Was it a user, who clicked on a link they shouldn’t have and unwittingly installed ransomware that spread throughout the system?

Regardless of where the fault lies, common cybersecurity best practices tend to revolve around changing user behaviors. For example, the user needs to make sure their software is always up to date, use strong passwords and change them frequently, and not reuse the same password. Users are also advised against clicking on suspicious emails or opening suspicious attachments.

But, when you’re moving quickly and receiving increasingly convincing phishing emails, how are users supposed to know what’s safe to click on, and what’s not? IT admins are taught to carefully consider the impacts of every configuration decision, but it’s nearly impossible for even the most experienced security professional to account for every dependency in every software.

So, is changing human behavior really the best way to guard against threats? There’s a commonly held belief that people are the weakest link in cybersecurity. That at best, they’re prone to make mistakes, and at worst, they’re careless, dumb or lazy. But if we’ve bought into that premise, then why are we still placing so much responsibility for security in the hands of the user? Shouldn’t we be trying to reduce the risk of the human element?

Instead of trying to swim against the currents of human error, we should try to go with the flow, building in the tools, processes and strategies that reduce or eliminate their potential to impact security in the first place. Let’s design security solutions with the user in mind, building software that minimizes the need to deal with complexity, threats and vulnerabilities.

Rethinking Security: Is Changing User Behavior the Best Practice?

With the evolving complexity of cyberthreats, when you’re moving quickly and receiving increasingly convincing phishing emails, how are users supposed to know what’s safe to click on, and what’s not? IT admins are taught to carefully consider the impacts of every configuration decision, but it’s nearly impossible for even the most experienced security professional to account for every dependency in every software.

So, is changing human behavior really the best way to guard against threats? There’s a commonly held belief that people are the weakest link in cybersecurity. That at best, they’re prone to make mistakes, and at worst, they’re careless, dumb or lazy. But if we’ve bought into that premise, then why are we still placing so much responsibility for security in the hands of the user? Shouldn’t we be trying to reduce the risk of the human element?

Instead of trying to swim against the currents of human error, we should try to go with the flow, building in the tools, processes and strategies that reduce or eliminate their potential to impact security in the first place. Let’s design security solutions with the user in mind, building software that minimizes the need to deal with complexity, threats and vulnerabilities.

The best way to reduce the risk of human error – and therefore, the risk of data breaches – is to eliminate situations where IT users must juggle needlessly complex routines that only open the door to mistakes. Here are three ways to improve cybersecurity.

Practical Steps for Reducing Human Error

1) Simplify

First, simplify what’s required of the user. We already have an excellent blueprint for this in the cloud, and continuing the cloudification of corporate IT is the next logical step. Through the cloud, we can eliminate the need for users to install certain types of software, like document processing, file storage and sometimes even financial tools. Instead, users can trust the management and security of those tools to the experts.

2) Minimize the number of decisions required from the user

Second, minimize risk by reducing the number of decisions IT users need to make. Immutable infrastructure provides an environment where the user can safely complete a task without worrying about breaking something else.

3) Automate

And finally, let’s embrace automation. There are a number of IT processes that can be automated to eliminate the risk involved with human error. Here’s an example. Permanent passwords and secure access credentials can be forgotten, stolen, mismanaged, misconfigured and lost, leaving businesses open to massive risk. But, we can automate access through single-sign on. This type of credentialess access, not granted by user passwords, simplifies the user experience by enabling them to access everything they need with one click. Better yet, there are no permanent credentials needed, eliminating the risk that those credentials might fall into the wrong hands.

The bottom line is that security solutions today are simply too complex, leaving businesses open to risk of breaches because of human error. We can reduce the capacity for human error by designing security solutions that put the user first, automate routines and reduce unnecessary complexity.

Conclusion

You've probably figured it our already that I've been discussing a particular area of cybersecurity, which is privileged access management (PAM). Instead of explaining the topic any further here, I recommend you take a look at this pretty neat infographic that explains, what are the elements your PAM does NOT need. After all, simplicity starts with reducing complexity. 

5 Elements to Avoid When Deploying PAM >>>

While you're at it, check out our lean, simple and scalable PAM solution, PrivX to get started on your journey to reduce complexity.

FAQ

What are the benefits of implementing privileged access management (PAM) for reducing security risks?

Implementing privileged access management (PAM) enhances security by enforcing least privilege principles, ensuring employees only have the necessary access. PAM solutions provide multifactor authentication, reducing risks of unauthorized access to privileged systems.

With just-in-time access, administrators can provision temporary elevated privileges, minimizing the attack surface. PAM also supports audit trails, enabling thorough analysis and control of privileged actions, which is crucial for meeting cyber insurance requirements.

How can administrator accounts be better secured to minimize human error and threats?

Securing administrator accounts involves implementing least privilege enforcement, reducing admin rights to essential tasks. Multifactor authentication and strong password policies further protect these accounts. Regularly auditing and monitoring event data helps detect anomalies and potential threats. Integration with privilege management solutions allows IT teams to automate the provisioning and de-provisioning of admin privileges, minimizing human error and the risk of malware attacks.

What are some best practices for managing privileged access in line with zero trust principles?

Best practices for managing privileged access in line with zero trust include enforcing least privilege policies and utilizing just-in-time access to minimize the duration of elevated privileges.

Implementing multifactor authentication for all privileged accounts and integrating PAM solutions with existing security controls ensures continuous monitoring and validation.

Regular audits and analysis of privileged actions help maintain compliance and mitigate risks from threat actors.

How does PrivX compare to traditional PAM solutions in terms of effectiveness and usability?

PrivX offers a streamlined approach to privileged account management with just-in-time access, reducing the need for persistently elevated privileges. Its API integration and automation capabilities simplify provisioning and management, making it more user-friendly for administrators.

Compared to traditional PAM solutions, PrivX minimizes the attack surface and provides robust audit trails, enhancing overall security and compliance with cyber insurance requirements.

How do security controls in PAM help mitigate the risks associated with human error in cybersecurity?

Security controls in PAM enforce least privilege access, reducing the likelihood of human error. Multifactor authentication ensures that only authorized users gain access to privileged systems. By providing detailed audit trails and event data analysis, PAM solutions help IT teams quickly identify and respond to suspicious actions.

Additionally, automated provisioning and de-provisioning of privileges reduce the chances of misconfiguration and unauthorized access by employees or hackers.

Miikka Sainio

Miikka guides the software architecture and development at SSH. He has over 20 years of experience in IT industry, building teams and developing products in startups and large enterprises.

Other posts you might be interested in