Is it time to ditch the password?

LastPass, one of the largest password managers, has announced that it is the latest business to have been impacted by a data breach.

LastPass, one of the largest password managers, has announced that it has been impacted by a data breach, in which hackers were able to access source data code and technical data.

Despite customers passwords not being compromised in the attack, this has still called into question the security measures taken when protecting many individuals passwords. In this case, the breach was made possible through the compromise of one single developer’s account.

Dominic Trott, Head of UK Strategy at Orange Cyberdefense, has examined the breach and says we must prioritise the ‘human element’ of security. To do this, Trott explains, businesses should  focus on ensuring approaches such as ‘frictionless security’ and ‘security as culture’ are followed. 

“At the very least, it sounds like the LastPass developer whose account was compromised only had access to the applications and data specifically required to conduct their job, indicating that a role-based security policy was in place and that the user had sufficient awareness as to not repeat their username and password combination across multiple accounts," says Trott. "If either of these things were not the case, the malicious actor could easily have gained access to incredibly sensitive assets. It is this point that demonstrates both the risk that insider threats represent, as well as the importance of the human element within an enterprise security strategy.

“Respecting the ‘human element’ of security isn’t to eliminate all security risks, but rather to balance security and usability, allowing users to do their job, securely, and with a good grasp of security hygiene behaviour. As the cliché goes, even the best security technology is no good if users don’t understand it or even actively subvert it. A better approach encompasses two principles, alongside the deployment of technology: ‘frictionless security’ and ‘security as culture’," he adds. 

“First, work out what users need to do in order to conduct their jobs, providing and enabling a technology environment that is secure by design. Tools and techniques such as cloud security posture management, DevSecOps and secure remote access are all examples of means by which to provide a ‘frictionless’ security environment that supports users doing what they want to do, where they want to do it, with minimal interference from security.

“Second, to make sure that users go beyond the bare minimum annual ‘sheep-dip’ of security awareness training, enterprises should aspire to a long-term approach of building security awareness into corporate culture. The key to this ambition is for security teams to understand what the business and the board needs and expects from them, then communicating this using language that is meaningful to their colleagues. This can be accelerated by appointing ‘security champions’ from within business lines who understand both security priorities and the concerns of their own teams, allowing them to make recommendations that address imbalances. Such approaches can help security teams to ‘recruit’ the user-base at large," Trott concludes. 


Featured Articles

IT and OT security with Ilan Barda, CEO of Radiflow

Cyber Magazine speaks with Radiflow’s CEO, Ilan Barda, about converging IT and OT and how leaders can better protect businesses from cybersecurity threats

QR ‘Quishing’ scams: Do you know the risks?

QR code scams, or Quishing scams, are rising and pose a threat to both private users and businesses as cyberattacks move towards mobile devices

Zero Trust Segmentation with Illumio’s Raghu Nandakumara

Head of Industry Solutions at Illumio, Raghu Nandakumara, offers insight into the proposed ban on ransom payments and how businesses can utilise Zero Trust

Is the password dead? Legacy technology prevents the shift

Network Security

Fake Bard AI malware: Google seeks to uncover cybercriminals

Technology & AI

Gartner report highlights threat of supply chain attacks

Cyber Security