One of the age-old discussions in the realm of cybersecurity is the trade-off between security and usability.
It is often said ‘a step forward in security is a step backward in usability’. While it is true cybersecurity will always require some level of cooperation and engagement from end-users, the standards, and procedures designed to protect your organization should never be overbearing to a fault.
As witnessed throughout the rest of nature, humans will almost always choose the path of least resistance. If an easier, more straightforward way of doing something exists, most users will choose to take this path, even if it means circumventing the cybersecurity procedures intended to protect them and their organization.
This is why good cybersecurity policies require standards and procedures conducive to productivity. Some may think this is at times impossible, but it does not always necessarily have to be the case.
We know credential stuffing attacks are one of the most common techniques used to perform account takeovers. Threat actors take username/email and password pairs from databases of previously breached credentials and ‘stuff’ them into hundreds of other sites in an automated fashion.
Even if a user’s password were extremely complex, any other website where the user reused it would likely be compromised as well. The obvious solution to this is never to reuse a password for multiple accounts. If a website with which you have an account is ever breached and your credentials are leaked, the scope of that breach will be limited strictly to that account.
However, this solution is not as simple as it is obvious.
According to a 2017 study by DashLane, the average person has 150 online accounts. This means to follow best practices, an individual should be creating and memorizing 150 distinct and complex passwords. This is simply not feasible and will almost always result in users creating multiple accounts with different websites using the same username and password combination. Simple variations to passwords (such as appending a symbol) offer marginal if not zero improvements to this problem.
Sophisticated credential stuffing attacks will automatically attempt common alterations to known passwords
What if an employee uses their work email to create an account with a website on the internet?
What if to create this account, they reused the password associated with their VPN, Office 365, or Active Directory accounts?
What if this website were breached, and in the resulting data leak were sets of valid credentials for accounts within your organization?
Enter the password manager, a desktop or browser-based application that seamlessly generates and stores randomized passwords whenever you create an account online. These passwords are locked behind one ‘master’ password (along with other security controls, but that’s a different blog post).
Whenever you go to log in to this account, your password manager will prompt you to fill out your username and unique, randomly generated password with a click of a button. This is an incredibly user-friendly and intuitive way to manage all of your accounts. One could argue that it is even more convenient to use a password manager rather than the traditional method of creating and saving (potentially reused) passwords in your browser. The average user will feel more encouraged to adopt this method of managing online accounts based on convenience alone, not to mention its incredible security benefits.
This concept of ‘easy-to-comply-with’ cybersecurity measures can be applied to a wide spectrum of IT-related procedures
Provide an accessible, seamless way to share files within your organization so users don’t share sensitive data through insecure channels such as email or personal Dropbox.
Ensure your processes for creating and provisioning access to cloud assets are not overly arduous to prevent shadow IT users from spinning up their own instances with their personal CSP accounts.
Establish data backup procedures that require no involvement from the end-user to guarantee backups occur dependably and consistently.
The point of this blog post is not to sell you on password managers or to tell you to give users whatever they want whenever they want it. Nor is it to say users who circumvent cybersecurity policies are completely blameless and it’s the fault of policy writers for being too darn secure.
The key message here is cybersecurity professionals have a responsibility to pave the path of least resistance for their end-users while maintaining the security controls and protections the organization requires.
Otherwise, overly burdensome measures will be circumvented in favor of productivity, resulting in the very security incidents they were designed to protect against. To avoid this, the concept of usability should be ‘shifted-left‘, so to speak, so that accessibility is at the forefront when designing security standards and procedures.
After all, a policy with zero adoption is worth about as much as the Word document it was typed into.
Interested in learning more? Download Mariner’s Cybersecurity Fundamentals White Paper: Getting Your Authentication Right
Mariner Security Solutions Team