Behind every major data breach, there is human error.
The past 5 years have seen a sharp increase in the rate and severity of data breaches.
We've moved from a couple breaches per year, being covered by specialized cybersecurity blogs, to colossal hacks affecting millions of people, being disclosed on a quarterly basis by the mainstream media.
What led us to this point were multiple factors which stemmed from a weak infrastructure, designed and implemented over the course of the last 25 years.
Systems were designed around humans, without taking into consideration three human properties, which ultimately resulted in the gradual weakening of our entire internet infrastructure.
The modus operandi has always been (and sadly, still is) to design systems that cover every base when it comes to security, but do not account for human nature.
Frankly, this unofficial rule of thumb is completely understandable, as it is extremely hard to develop systems that are immune to human destruction.
Designing systems that work is hard enough as it is, and having to incorporate the infinite complexities of human nature in order to build a stronger product would turn any project into an almost impossible task.
This is why the decision to ignore these risks was made, in a mob mentality kind of way, by C-levels who looked at the problem from an economic standpoint.
When it comes to cybersecurity, we humans are our own worst enemies; it's in our genes.
1- Humans are forgetful
We come with limited memory space. This is why we forget our parents' wedding anniversary and the names of our cousin's children.
Even worse than that, we have selective memory, which means that we tend to more easily forget things we care less about.
In the realm of cybersecurity, forgetfulness is a big problem, because we still rely on secrets to authenticate us to services. The best example of that is, something that we here at Myki specialize in: passwords.
Every employee has, on average, over 200 personal and work-related passwords. The rule is that all passwords have to be complex and unique, but due to our limited memory (and negligence, which we will talk about in point 2), we tend to either use the same passwords everywhere, or weak variations of the same passwords.
Even worse, we often write our passwords out in insecure places, such as on Post-it notes and in note-taking apps on our phones, to make sure we don't forget them.
Remember that guy from the Hawaiian missile crisis who had his password written on a post-it note appear on live television?
Relying less on human memory would greatly reduce the likelihood of companies getting hacked.
2- Humans are negligent
As humans, we are negligent. That is just a fact. This affects us in a multitude of ways, both in our personal and professional lives.
But the fact that data breaches can be triggered by the smallest of events, or lack thereof, exponentially increases the effects of negligence.
Sharing passwords with co-workers in order to simplify worflow is one example of dangerous human negligence. Responding to an email with sensitive company data without double checking the source of the email is another.
But the one that takes the cake for me is something that I witnessed a couple of years ago when visiting a local branch of my bank.
While walking between the aisles, I started noticing something odd. A significant amount of the workstations had staplers on top of the space bars of the keyboards. I was very intrigued, so I asked one of the employees about this.
He told me that the computers have a secure timeout feature that locks the screens after 30 seconds of inactivity, and in order to spare themselves the hassle of authenticating multiple times a day, employees block this locking mechanism by placing staplers on the space bar.
Mind boggling. I told myself at the time: "We are evolutionarily designed to get hacked".
This is just one of numerous examples of risky authentication practices that can be mitigated by using a solution that streamlines the authentication process.
3- Humans are malicious
Out of the three reasons we get hacked, this is by far the most dramatic.
People often disagree with one another for a number of reasons, and sometimes they even go the extra mile and do something that actually hurts the other person.
This is a frequent occurrence in the corporate world, because employees that act maliciously don't direct their actions toward any particular person, but to an entity, because it's easier to feel guilty about attacking a person than a faceless corporation.
One obvious malicious behavior risk is an employee keeping their company credentials after they've left the company, and using them to either steal data or corrupt it.
My favorite case of corporate maliciousness occurred back in 2013.
One of the investment managers of a big private equity firm was pulling an all-nighter. He went to the coffee machine, which was located next to the floor printer, to make a cup of coffee.
While he was doing that, the printer started printing documents. This was very odd, as he was the only person in the office at that time of the night.
He approached the printer and noticed that the documents it was printing contained insider information pertaining to research conducted on deals going back 5 years
Alarmed, he woke up his manager, who woke up the IT department, who then rushed to the office and discovered that a former employee had kept his VPN access long after he had left the company, and used it, alongside a server password that was left unchanged, to steal the data.
Luckily, the "hacker" printed these documents thinking he was using his local network printer, but because he was on the VPN, he had actually sent the print order to the office printer instead.
IT was able to detect the breach by examining VPN and printer logs, and immediately took action.
The takeaway from all of this is that even the best cybersecurity infrastructure in the world is insecure, as long as it requires human interaction.
At the end of the day, there are two approaches you can take to avoid these risks:
Either make the humans who use these systems more aware of the dangers and better-equipped to identify them.
Or, take them out of the equation altogether, and abstract the security layer from them.
This is what we do at Myki. We enable your employees to authenticate to web services without having to remember and type a username and password.