Specifically, 68% of respondents are concerned about malware, ransomware and phishing attacks on cloud applications and data. While 55% are not confident their cloud security is properly configured, 59% believe they have adequate control processes and policies to secure the cloud. About one-third of respondents said that adequate cybersecurity training for employees is a challenge.
end user under attack
The weakest link in any IT security strategy has always been people, says Keri Pearlson, executive director of MIT Research Alliance Cybersecurity at MIT Sloan (CAMS). CAMS studies organizational, managerial, and strategic issues in the cyber domain. “All it takes is one person clicks the wrong email or the wrong link or installs the wrong program and a system gets infected. Not just end users in the traditional sense, but everyone who interacts with our systems. Anyone interacting with the system is a potential vulnerability point,” Pearlson said.
While more than 99 percent of system security measures are typically handled on the back end by the IT department, almost 19 out of 20 cyberattacks were a small subset of security threats for which users were responsible, Salvi said.
“They all started with phishing emails,” Salvi said. “They’re trying to get the key, not break the lock.” Some phishing attempts can trick even cautious users into masquerading as urgent messages from HR or top management. Covid lockdowns have enabled end users to do more damage and security policies adapt quickly.
In contrast to traditional end-user security models, the first user login to a zero-trust environment—even one confirmed by fingerprints, face scans, or multi-factor authentication—is not the end of surveillance. Once inside the network, Zero Trust is followed carefully as users go through their cyber days, making sure they haven’t done anything nefarious and have not mistakenly clicked on links that open the door to hackers. Aside from the occasional reauthentication request, the user won’t notice zero trust unless it decides it can’t trust you and locks you where you want to go.
“I don’t have to rely on the user to do the right thing to work safely,” Salvi said. “They don’t have to remember complicated passwords or change them every three months, and they don’t have to be cautious about what they download.”
This content is produced by Insights, the custom content arm of MIT Technology Review. It was not written by the editorial staff of MIT Technology Review.