Specifically, 68% of the interviewees worry about cloud applications and data being subject to malware, ransomware, and phishing attacks. Although 55% don’t feel confident that their cloud security is properly configured, 59% believe that they have adequate control processes and policies to secure the cloud. About one out of three respondents said it’s a challenge to train employees adequately on cybersecurity.
End users under attack
The weakest link in any IT security strategy has always been people, says Keri Pearlson, executive director of the MIT research consortium Cybersecurity at MIT Sloan (CAMS). CAMS studies organizational, managerial, and strategic issues in the cybersphere. “It only takes one person to click on the wrong email or the wrong link or install the wrong program for systems to get infected. It’s not just end users in the traditional sense, it’s all the people that interact with our systems. Every single person that interacts with systems is a possible vulnerability point,” Pearlson says.
Although typically more than 99% of system security measures are handled on the back end by IT, says Salvi, the tiny sliver of security threats users are responsible for account for almost 19 out of 20 cyberattacks.
“They all start through phishing emails,” Salvi says. “They’re trying to get the keys rather than breaking the locks.” Some phishing attempts can fool even a wary user, masquerading as urgent messages from human resources or the C-suite. Covid lockdowns put end users in a position to do more damage, and security strategy adapted quickly.
In contrast to traditional end-user security models, a user’s initial sign-in to a zero-trust environment— even one confirmed by a fingerprint, a face scan, or multifactor authentication—isn’t the end of surveillance. Once in, zero trust discreetly follows as users go about the cyber-day, making sure they aren’t up to something nefarious, and haven’t mistakenly clicked on a link that opens a door to a hacker. Except for an occasional request to re-authenticate, users won’t notice zero trust unless it decides it can’t trust you and locks you out of somewhere you want to go.
“I don’t have to depend on the user to do the right thing for the security to work,” says Salvi. “They don’t have to remember a complex password or change it every three months or be cautious about what they download.”
This content was produced by Insights, the custom content arm of MIT Technology Review. It was not written by MIT Technology Review’s editorial staff.