Specifically, 68% of the people interviewed are concerned that apps and cloud data are vulnerable to malware, ransomware, and phishing attacks. Although 55% do not feel confident that cloud security is properly configured, 59% believe they have adequate control processes and policies in place to secure the cloud. About one in three respondents said that training employees appropriately in cybersecurity is a challenge.
End users are under attack
The weakest link in any IT security strategy has always been people, says Keri Berelson, executive director of the MIT Cyber Security Research Consortium at MIT Sloan (CAMS). The Competence Assurance Management System studies organizational, managerial and strategic issues in the cyber domain. “It only takes one person to click on the wrong email, wrong link, or install the wrong software for systems to become infected. It’s not just end users in the traditional sense, everyone interacts with our systems. Everyone who interacts with systems is the potential weak point.
Although more than 99% of system security measures are handled by the IT department, Salvi says, a tiny fraction of security threats used by users are responsible for roughly 19 out of 20 cyber attacks.
“They all started with phishing emails,” Salvi says. “They’re trying to get the keys instead of breaking the locks.” Some phishing attempts can fool even a wary user, masquerading as urgent messages from HR or C-suite. Covid lockdowns put end users in a position to do more harm, and the security strategy is quickly adapting.
Unlike traditional end-user security models, a user’s initial login into a mistrust environment—even if confirmed by a fingerprint, face scan, or multifactor authentication—doesn’t mark the end of monitoring. Once in, there is a secret distrust when users navigate the Internet, making sure they don’t access something outrageous, and never accidentally click on a link that opens the door to a hacker. Except for the occasional request to re-authenticate, users will only notice the lack of trust if they decide they can’t trust you and lock you in somewhere you want to go.
“You don’t have to rely on the user to do the right thing for security to work,” Salvi says. “They don’t have to remember a complex password, change it every three months, or be careful about what they download.”
This content was produced by Insights, the dedicated content arm of the MIT Technology Review. It was not written by the editorial team at the MIT Technology Review.