Is it time to ditch the password?

LastPass, one of the largest password managers, has announced that it is the latest business to have been impacted by a data breach.

LastPass, one of the largest password managers, has announced that it has been impacted by a data breach, in which hackers were able to access source data code and technical data.

Despite customers passwords not being compromised in the attack, this has still called into question the security measures taken when protecting many individuals passwords. In this case, the breach was made possible through the compromise of one single developer’s account.

Dominic Trott, Head of UK Strategy at Orange Cyberdefense, has examined the breach and says we must prioritise the ‘human element’ of security. To do this, Trott explains, businesses should  focus on ensuring approaches such as ‘frictionless security’ and ‘security as culture’ are followed. 

“At the very least, it sounds like the LastPass developer whose account was compromised only had access to the applications and data specifically required to conduct their job, indicating that a role-based security policy was in place and that the user had sufficient awareness as to not repeat their username and password combination across multiple accounts," says Trott. "If either of these things were not the case, the malicious actor could easily have gained access to incredibly sensitive assets. It is this point that demonstrates both the risk that insider threats represent, as well as the importance of the human element within an enterprise security strategy.

“Respecting the ‘human element’ of security isn’t to eliminate all security risks, but rather to balance security and usability, allowing users to do their job, securely, and with a good grasp of security hygiene behaviour. As the cliché goes, even the best security technology is no good if users don’t understand it or even actively subvert it. A better approach encompasses two principles, alongside the deployment of technology: ‘frictionless security’ and ‘security as culture’," he adds. 

“First, work out what users need to do in order to conduct their jobs, providing and enabling a technology environment that is secure by design. Tools and techniques such as cloud security posture management, DevSecOps and secure remote access are all examples of means by which to provide a ‘frictionless’ security environment that supports users doing what they want to do, where they want to do it, with minimal interference from security.

“Second, to make sure that users go beyond the bare minimum annual ‘sheep-dip’ of security awareness training, enterprises should aspire to a long-term approach of building security awareness into corporate culture. The key to this ambition is for security teams to understand what the business and the board needs and expects from them, then communicating this using language that is meaningful to their colleagues. This can be accelerated by appointing ‘security champions’ from within business lines who understand both security priorities and the concerns of their own teams, allowing them to make recommendations that address imbalances. Such approaches can help security teams to ‘recruit’ the user-base at large," Trott concludes. 

Share

Featured Articles

Gartner unveils top cybersecurity predictions for 2023-2024

Half of CISOs will formally adopt human-centric design practices into their cybersecurity programmes, while adoption of zero trust architecture will rise

DDoS protection market to grow amid increase in attacks

According to research by Cloudflare, DDoS attacks increased by 109% last year, with the last 12 months seeing some of the largest attacks the world

The impact data poisoning has on cyber and AI

We take a look at why the risks of data and AI poisoning is continuing to wreak havoc on the cybersecurity industry

Five innovative ways AI can help prevent cyber attacks

Cyber Security

SailPoint delivers new non-employee risk management solution

Cyber Security

Akamai shares details of Asia’s record-breaking DDoS attack

Network Security