Analyst Chat

Analyst Chat #140: Debunking the Myth of the Human Being the Biggest Risk in Cybersecurity

It is always easy to blame people, i.e. users, for data breaches and ransomware attacks. But is that really still true today? Martin Kuppinger and Matthias discuss this cybersecurity myth and finally defend users against unjustified accusations.

Meet us at the Cybersecurity Leadership Summit!

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm the director of the practice IAM here at KuppingerCole Analysts. My guest today is Martin Kuppinger. He is one of the founders and the Principal Analyst of KuppingerCole Analysts. Hi, Martin.

Hi, Matthias. Pleasure to talk to you.

Good to have you. And we want to talk about a topic that is not so close to our immediate research. But we want to talk about the topic that is always in the news and that is always mentioned when it comes to securing workplaces, securing the private user in the Internet in general. It's the saying that...

But also the user in the enterprise.


So it's very close to our topics. I would say it's very close. It's very close to topics like passwordless authentication, like identity, like everything in cybersecurity. But, mention the topic.

Absolutely. Yes. Well, the topic is that the user, the human being, is usually considered to be the weakest link in cybersecurity. And this is something that we want to talk about. You have a clear opinion on that. What is that?

I totally disagree with this statement. I believe it's absolutely unfair to all the users. Be it the workforce, be it your business partners, be it the customers and consumers. Because I think we are oversimplifying things by saying, Okay, the user did something wrong, so the user is guilty. When you look at different types of surveys, then most of the surveys come up and say, okay, most of the breaches today, most of the attacks are related in some way to identities, to passwords and the related stuff. I think there might be a little bit more of attacks that are related to inproper patching, etc.. But anyway, I think saying whatever 78%, depending on the survey, of these attacks are related to something going wrong at the user end. This is misleading because at the end, the story is, Oh, the user didn't care enough about a password and so the user is guilty. No! The problem is that the user had to care about a password, that the user had to care about a lot of things we can fix by technology already. If the user doesn't need to use a password, if we use modern passwordless authentication which includes multi-factor authentication, then we won't have the password problem. We won't have these issues. And so claiming that a user is guilty, from my perspective, is unfair. And we should really get away from this sentence and think about what we can do to make the users life easier and to increase security. I think this is the point.

When you say what we can do, who is we? Is this the provider of services? Is this the employer? Is this the partner network that you're working in? Who is we? Who needs to act?

At the end it's IT, depending on which part of IT, and which organization cares about the topics such as authentication, such as having something in place that checks documents that come in via emails, so email security stuff, etc., all the ones that are responsible for IT. That means it's the IT security and the identity team, it's the CISO, it's the CIO and it's the C-level that at the end gives the money. And that holds true for workforce, for partners, and for consumers. The sheer fact that the vast majority of websites still primarily or even only works with username and password is part of this problem. And this is where I think we need to start. So don't just say, Okay to user is the weakest link, and oh, if we train the user, maybe it gets better. But at the end, the user is still guilty. Avoid having the user to have to care about these things.

I think the regulators in highly regulated industries have already understood that, who made strong authentication a key requirement when it comes to fulfilling regulatory requirements. But when it comes to implementing this on the one hand and really getting that in a broader field of applications, which might be not that sensitive but sensitive enough to be breached, there is still some lack. So the call for action would be, for example, to move to MFA, to passwordless authentication. And when it comes to the user, okay, he is not to be considered the weakest link, but do we need still to think of training, awareness training and making the actual user, every user, private and employee user more aware of what they can do as well? On top of that, even make the employer do it?

Yeah, I think there are two things in your question, or in your in your comment. The one is, yes, it's about passwordless MFA. It's not just about MFA, it's about passwordless MFA because passwords are one thing which can be relatively easily obtained by social phishing and other types of attacks. So if there's lesser knowledge involved things become more complicated. It is the interesting thing to me with passwordless MFA, that it is, for God's sake, not about balancing security and convenience anymore, because balancing means security goes up, convenience goes down or convenience goes up, security goes on. We need to combine it. We need to get better in both. And that's what passwordless MFA is doing, getting better in security and in convenience. And this is the way of thinking you also should have.

So this is the one part. The other part is, do we still need security awareness training? The answer is absolutely yes. But it's not the solution. It's something which adds to the solution. And this helps us then thinking about a user, and in terms of another sentence, which is sometimes brought up but less frequently than the other one, which says “the user is the weakest link”, there’s the other one which says “the user is the first line of defense” and I think this is something we should focus on: making the life of users simple and then educating the users what are signs of fraud, what are signs of attacks. So that they can alert, that they can react. And then we can much more focus on the things that are harder to handle by technology. But getting rid of passwords, having a strong email security and all that stuff, that is the starting point. And we can do a lot. We have a lot of technologies that are convenient, that are frequently acting in the background. So a simple thing is, when you open a document from browsers, frequently something like checking the link first, centrally secure links in the edge browser and towards Microsoft or something like that is happening where already there is something happening in the background. We have so much technology also about fraud detection, fraud reduction, anomaly detection, etc. that helps us in the background identifying anomalies so we can apply a lot of technologies which sort of remove the burden from the shoulders of the end user. But still, if the end user is good in understanding and is educated, then still the end user can support in identifying the things machines might may not have identified. But the first and foremost thing is to change our thinking, to change all the mindset from just blaming the user, being guilty to fixing the things we haven't done well in IT and IT security.

Right. And I think it's a great thing that we finally apply this usual IT way of thinking also to the issues and to the challenges that we have when it comes to authentication, to authorization, to cybersecurity. Just identifying the problem. What can happen? Passwords and everything around passwords or dangerous content and protection against dangerous content within documents and applications and then applying the right technology to prevent that from happening. And I think we are finally at the stage that we can do that. And you've mentioned the technologies, MFA, passwordless, link checking, active components scanning on the machine or somewhere else, sandboxing, whatever. We have the technologies and this is really a great shift in the way we look at things.

We need to be careful and conscious that we don't do technology overkill here. The only thing we should understand is always risk and relate technology to risk. So which technology helps to which extend in mitigating risk? Which is really effective? And what is the price to pay for that? So you can easily create a matrix which says okay this is the risk mitigation impact of a technology and this is total cost of ownership. And if you create it the right way, so TCO on top, high risk mitigation to the right. Then in the upper right corner, there will be the technologies that help you most with the lowest invest. And that is where we should focus on and always keep convenience in mind. So security plus convenience, that’s another important aspect because it must be easy to use and we can do a lot with that. My favorite example these days is when you take contactless payments, when you go to a shop. When the regulation PSD2, or Payment Services Directive 2 came out a couple of years ago, the limit was €30 and then it has been increased to €50. When regulation came out, they said, for strong customer authentication, so where we need to enter the pin, where we need to enter a second factor, they will even observe whether they can keep the €30 limit. But it turned out that the risk management systems in the background are effective enough to ensure that it even could go higher, not lower because technology really helped here. So this is where the convenience with good security in the background could have been increased. This is the way of thinking we need.

Absolutely. And you're right, you said in the beginning and contradicted me that we are not that close to the things we do in our daily lives as analysts and advisors and now we are at the stage where we see it’s processes, it’s technologies, it’s risk assessments, it's really understanding how things should work and then applying the right technology whenever needed and also adding human common sense to what you are doing. And this brings me to my final thought. We are close to the upcoming Cybersecurity Leadership Summit in Berlin, from 8th to 10th of November. And it will be also online. So it's a hybrid event. You can join us, you, Martin, me, Matthias in Berlin, or you can be there virtually and join us in this event. And I would highly recommend to the audience to listen in, to join us. I think there are even some speaking slots still left. So just reach out to us and go to our website and click on the CSLS. And I think these things will be topics that we will be covering, this is an entry point, end user security, but there is much more. Any thoughts from your side regarding CSLS?

No, just looking forward to meet you in person in Berlin. It would be great.

Absolutely. And highly recommended, for everything else go to our website, there’s lots of information also on passwordless, just currently created by our team of analysts as well. So see you in Berlin in November. Contact us if you have any questions, if you have any thoughts on this podcast, if you're listening to that on YouTube, please leave a comment in the comments section and reach out to us. If you're doing this in your regular podcatcher, just send us a message. Our contact information is everywhere around the web and just reach out to us. We will be happy to pick up your thoughts and comments and topics. Thanks again, Martin, for joining me and looking forward to seeing you in Berlin and looking forward to having you in an upcoming episode very soon.

Thank you. Bye.

Thank you. Bye bye.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00