LastPass, one of the largest password managers, has announced that it has been impacted by a data breach, in which hackers were able to access source data code and technical data.
Despite customers passwords not being compromised in the attack, this has still called into question the security measures taken when protecting many individuals passwords. In this case, the breach was made possible through the compromise of one single developer’s account.
Dominic Trott, Head of UK Strategy at Orange Cyberdefense, has examined the breach and says we must prioritise the ‘human element’ of security. To do this, Trott explains, businesses should focus on ensuring approaches such as ‘frictionless security’ and ‘security as culture’ are followed.
“At the very least, it sounds like the LastPass developer whose account was compromised only had access to the applications and data specifically required to conduct their job, indicating that a role-based security policy was in place and that the user had sufficient awareness as to not repeat their username and password combination across multiple accounts," says Trott. "If either of these things were not the case, the malicious actor could easily have gained access to incredibly sensitive assets. It is this point that demonstrates both the risk that insider threats represent, as well as the importance of the human element within an enterprise security strategy.
“Respecting the ‘human element’ of security isn’t to eliminate all security risks, but rather to balance security and usability, allowing users to do their job, securely, and with a good grasp of security hygiene behaviour. As the cliché goes, even the best security technology is no good if users don’t understand it or even actively subvert it. A better approach encompasses two principles, alongside the deployment of technology: ‘frictionless security’ and ‘security as culture’," he adds.
“First, work out what users need to do in order to conduct their jobs, providing and enabling a technology environment that is secure by design. Tools and techniques such as cloud security posture management, DevSecOps and secure remote access are all examples of means by which to provide a ‘frictionless’ security environment that supports users doing what they want to do, where they want to do it, with minimal interference from security.
“Second, to make sure that users go beyond the bare minimum annual ‘sheep-dip’ of security awareness training, enterprises should aspire to a long-term approach of building security awareness into corporate culture. The key to this ambition is for security teams to understand what the business and the board needs and expects from them, then communicating this using language that is meaningful to their colleagues. This can be accelerated by appointing ‘security champions’ from within business lines who understand both security priorities and the concerns of their own teams, allowing them to make recommendations that address imbalances. Such approaches can help security teams to ‘recruit’ the user-base at large," Trott concludes.