The IT department can lock down anything it wants, but all it takes is one careless human to cause a destructive breach. In a mobile society where everything is connected, human beings are truly the Achilles’ heel of security, explains one expert, and it’s one that needs a little more focus.
“There hasn’t been a lot of accountability of users,” says Garrett Bekker, a principal security analyst at 451 Research. “If they do something bad, there are no consequences, so people don’t take security as seriously as they should.”
What can companies do to solve for the human aspect of cybersecurity? Here are three steps companies can take to shore up their weakest links.
1. Get Out of the Password Business
Between social engineering and just plain carelessness, employees and customers get into a lot of trouble clicking on links and sharing passwords. Kyle Randolph, Optimizely’s senior director of security, privacy and compliance, says it’s up to IT to remove the risk with single sign-on solutions.
2. Make Security Training Part of the Business
Granite Properties conducts security training for everyone who touches its infrastructure, including the 40 percent of its users who are contractors.
“Even if someone is locked down and can only get to a few things, you’ve got to make sure those people understand security and what phishing is, for example. It’s important to create a culture of security throughout an organization,” says Clint Osteen, senior director of IT.
3. Give Users the Security Tools They Need
While the cloud can be extremely useful, cloud applications can open potential security holes, says 451 Research’s Bekker. “We all know about shadow IT. If a user doesn’t like what you’re offering, that user will go find a free app. While it might be helpful, it can also be risky,” he says.
He suggests asking users about their needs and what they are using now so IT can find options that have been vetted for security.