In Defense of the “Dumb User” – Are Security Solutions too Complex?

Despite the best efforts of security providers and users, data breaches continue to proliferate, with 4.1 billion records exposed in data breaches in the first half of 2019 alone. And each time there’s a breach, we go through the same process of trying to figure out who’s to blame.

Was it an IT admin, who configured a piece of software incorrectly? Was it a user, who clicked on a link they shouldn’t have and unwittingly installed ransomware that spread throughout the system?

Regardless of where the fault lies, common cybersecurity best practices tend to revolve around changing user behaviors. For example, the user needs to make sure their software is always up to date, use strong passwords and change them frequently, and not reuse the same password. Users are also advised against clicking on suspicious emails or opening suspicious attachments.

But, when you’re moving quickly and receiving increasingly convincing phishing emails, how are users supposed to know what’s safe to click on, and what’s not? IT admins are taught to carefully consider the impacts of every configuration decision, but it’s nearly impossible for even the most experienced security professional to account for every dependency in every software.

So, is changing human behavior really the best way to guard against threats? There’s a commonly held belief that people are the weakest link in cybersecurity. That at best, they’re prone to make mistakes, and at worst, they’re careless, dumb or lazy. But if we’ve bought into that premise, then why are we still placing so much responsibility for security in the hands of the user? Shouldn’t we be trying to reduce the risk of the human element?

Instead of trying to swim against the currents of human error, we should try to go with the flow, building in the tools, processes and strategies that reduce or eliminate their potential to impact security in the first place. Let’s design security solutions with the user in mind, building software that minimizes the need to deal with complexity, threats and vulnerabilities.

Reducing the risk of human error

The best way to reduce the risk of human error – and therefore, the risk of data breaches – is to eliminate situations where IT users must juggle needlessly complex routines that only open the door to mistakes. Here are three ways to improve cybersecurity.

First, simplify what’s required of the user. We already have an excellent blueprint for this in the cloud, and continuing the cloudification of corporate IT is the next logical step. Through the cloud, we can eliminate the need for users to install certain types of software, like document processing, file storage and sometimes even financial tools. Instead, users can trust the management and security of those tools to the experts.

Second, minimize risk by reducing the number of decisions IT users need to make. Immutable infrastructure provides an environment where the user can safely complete a task without worrying about breaking something else.
And finally, let’s embrace automation. There are a number of IT processes that can be automated to eliminate the risk involved with human error. Here’s an example. Permanent passwords and secure access credentials can be forgotten, stolen, mismanaged, misconfigured and lost, leaving businesses open to massive risk. But, we can automate access through single-sign on. This type of credentialess access, not granted by user passwords, simplifies the user experience by enabling them to access everything they need with one click. Better yet, there are no permanent credentials needed, eliminating the risk that those credentials might fall into the wrong hands.

The bottom line is that security solutions today are simply too complex, leaving businesses open to risk of breaches because of human error. We can reduce the capacity for human error by designing security solutions that put the user first, automate routines and reduce unnecessary complexity.


New call-to-action

AuthorMarkku Rossi

Markku Rossi is CTO and responsible for R&D at SSH.COM. Markku was with SSH from 1998-2005 as a Chief Engineer and was a major contributor to the SSH software architecture. Prior to rejoining the company in 2015, he co-founded several companies such as Codento and ShopAdvisor, and served as CTO at Navicore and as Chief Architect at Nokia. He has a Master of Science degree in Computer Science from Aalto University.

Want to be the first to know about new blog posts?

Fill in you email address and be the first to know about it. 

Subscribe to Email Updates

SSH.COM is one of the most trusted brands in cyber security.

We help major enterprises solve the security challenges of digital transformation. We design best-of-breed commercial solutions for secure access that help our customers win in the global data economy.

Read more about our SSH.COM

Latest posts from the SSH.COM blog