In particular, 68% of those surveyed are concerned that cloud applications and data may be susceptible to malware, ransomware and phishing attacks. While 55% are unsure if their cloud security is properly configured, 59% believe they have adequate processes and controls in place to secure the cloud. Approximately one in three respondents said that adequate cybersecurity training for employees is a challenge.
End users under attack
The weakest link in any IT security strategy has always been people, says Keri Perlson, executive director of the MIT Sloan Cybersecurity Research Consortium (CAMS). CAMS studies organizational, managerial and strategic issues in the cyber sphere. “It only takes one person to click on the wrong email or the wrong link or install the wrong program to get systems infected. These are not just end users in the traditional sense, they are all people who interact with our systems. Every person interacting with systems is a potential point of vulnerability,” says Perlson.
While typically more than 99% of system security measures are performed by IT professionals, nearly 19 out of 20 cyberattacks are a tiny fraction of security threats that users are responsible for, Salvi says.
“They all start with phishing emails,” says Salvi. “They’re trying to get keys, not picking locks.” Some phishing attempts can fool even a cautious user by masquerading as urgent messages from HR or senior management. Covid lockdowns allow end users to do more damage, and the security strategy is adapting quickly.
Unlike traditional end-user security models, a user’s initial entry into a zero-trust environment—even if verified with a fingerprint, face scan, or multi-factor authentication—is not the end of surveillance. Once inside, zero trust follows cautiously as users spend a cyber day making sure they aren’t up to something nefarious and haven’t mistakenly clicked on a link that opens the door to a hacker. Except for the occasional re-authentication prompt, users won’t notice zero trust unless they decide they can’t trust you and block you from where you want to go.
“I don’t have to rely on the user to get it right for the security system to work,” says Salvi. “They don’t have to remember a complex password or change it every three months or be careful about what they download.”
This content was prepared by Insights, the user-generated content division of MIT Technology Review. This was not written by the editors of the MIT Technology Review.