Specifically, 68% of respondents are concerned that cloud applications and data are subject to malware, ransomware and phishing attacks. While 55% are unsure that their cloud security is configured properly, 59% believe they have adequate audit processes and policies in place to secure the cloud. About one in three respondents indicate that it is a challenge to adequately train employees in cybersecurity.
End users under fire
The weakest link in any IT security strategy has always been people, said Keri Pearlson, executive director of the MIT Cybersecurity Research Consortium at MIT Sloan (CAMS). CAMS studies organizational, managerial and strategic issues in the cybersphere. “It only takes one person to click the wrong email or link or install the wrong program and systems get infected. It’s not just end users in the traditional sense, it’s all people who interact with our systems. Any person interacting with systems is a potential vulnerability,” Pearlson says.
While typically more than 99% of system security measures are handled backwards by IT, Salvi says, the small piece of security threats that users are responsible for is nearly 19 out of 20 cyber-attacks.
“They all start with phishing emails,” Salvi says. “They’re trying to get the keys instead of breaking the locks.” Some phishing attempts can even fool an observant user disguised as urgent messages from Human Resources or the C-suite. Covid lockdowns allow end users to do more damage and the security strategy was quickly adapted.
Unlike traditional end-user security models, a user’s first login to a zero-trust environment, even when confirmed by fingerprint, face scan, or multi-factor authentication, is not the end of surveillance. Once inside, discreet zero trust follows as users progress through the cyber day, making sure they aren’t up to something malicious and haven’t accidentally clicked on a link that opens a door to a hacker. Except for an occasional request to re-authenticate, users won’t notice zero trust unless it decides it can’t trust you and locks you out of where you want to go.
“I don’t have to depend on the user to do the right thing for security to work,” says Salvi. “They don’t have to remember a complex password or change it every three months or be careful about what they download.”
This content is produced by Insights, the custom content arm of MIT Technology Review. It was not written by the editors of MIT Technology Review.