February 9, 2021

In Defense of the “Dumb User” – Are Security Solutions too Complex?

Despite the best efforts of security providers and users, data breaches continue to proliferate, with 37 billion records exposed in data breaches in 2020, a 141% increase over 2019. And each time there’s a breach, we go through the same process of trying to figure out who’s to blame.

Was it an IT admin, who configured a piece of software incorrectly? Was it a user, who clicked on a link they shouldn’t have and unwittingly installed ransomware that spread throughout the system?

Regardless of where the fault lies, common cybersecurity best practices tend to revolve around changing user behaviors. For example, the user needs to make sure their software is always up to date, use strong passwords and change them frequently, and not reuse the same password. Users are also advised against clicking on suspicious emails or opening suspicious attachments.

But, when you’re moving quickly and receiving increasingly convincing phishing emails, how are users supposed to know what’s safe to click on, and what’s not? IT admins are taught to carefully consider the impacts of every configuration decision, but it’s nearly impossible for even the most experienced security professional to account for every dependency in every software.

So, is changing human behavior really the best way to guard against threats? There’s a commonly held belief that people are the weakest link in cybersecurity. That at best, they’re prone to make mistakes, and at worst, they’re careless, dumb or lazy. But if we’ve bought into that premise, then why are we still placing so much responsibility for security in the hands of the user? Shouldn’t we be trying to reduce the risk of the human element?

Instead of trying to swim against the currents of human error, we should try to go with the flow, building in the tools, processes and strategies that reduce or eliminate their potential to impact security in the first place. Let’s design security solutions with the user in mind, building software that minimizes the need to deal with complexity, threats and vulnerabilities.

Reducing the risk of human error

The best way to reduce the risk of human error – and therefore, the risk of data breaches – is to eliminate situations where IT users must juggle needlessly complex routines that only open the door to mistakes. Here are three ways to improve cybersecurity.

1) Simplify

First, simplify what’s required of the user. We already have an excellent blueprint for this in the cloud, and continuing the cloudification of corporate IT is the next logical step. Through the cloud, we can eliminate the need for users to install certain types of software, like document processing, file storage and sometimes even financial tools. Instead, users can trust the management and security of those tools to the experts.

2) Minimize the number of decisions required from the user

Second, minimize risk by reducing the number of decisions IT users need to make. Immutable infrastructure provides an environment where the user can safely complete a task without worrying about breaking something else.

3) Automate

And finally, let’s embrace automation. There are a number of IT processes that can be automated to eliminate the risk involved with human error. Here’s an example. Permanent passwords and secure access credentials can be forgotten, stolen, mismanaged, misconfigured and lost, leaving businesses open to massive risk. But, we can automate access through single-sign on. This type of credentialess access, not granted by user passwords, simplifies the user experience by enabling them to access everything they need with one click. Better yet, there are no permanent credentials needed, eliminating the risk that those credentials might fall into the wrong hands.

The bottom line is that security solutions today are simply too complex, leaving businesses open to risk of breaches because of human error. We can reduce the capacity for human error by designing security solutions that put the user first, automate routines and reduce unnecessary complexity.

In conclusion

You've probably figured it our already that I've been discussing a particular area of cybersecurity, which is privileged access management (PAM).. Instead of explaining the topic any further here, I recommend you take a look at this pretty neat infographic that explains, what are the elements your PAM does NOT need. After all, simplicity starts with reducing complexity. 

5 Elements to Avoid When Deploying PAM >>>

While you're at it, check out our lean, simple and scalable PAM solution, PrivX to get started on your journey to reduce complextiy,.

Miikka Sainio

Miikka guides the software architecture and development at SSH. He has over 20 years of experience in IT industry, building teams and developing products in startups and large enterprises.

Other posts you might be interested in