Specifically, 68% of respondents worry that applications and data in the cloud will be vulnerable to malware, ransomware and phishing attacks. While 55% are not confident that their cloud security is properly configured, 59% believe they have adequate control processes and policies in place to secure the cloud. About one in three respondents said that it is a challenge to adequately train employees about cyber security.
End users are under attack
The weakest link in any IT security strategy has always been people, says Keri Pearlson, executive director of the MIT Cybersecurity Research Consortium at MIT Sloan (CAMS). CAMS studies organizational, management and strategic issues in the cybersphere. “It only takes one person clicking on the wrong email or the wrong link or installing the wrong program for systems to become infected. Not just end users in the traditional sense, but all people who interact with our systems. “Every single person who interacts with the systems is a possible point of vulnerability,” says Pearlson.
While typically more than 99% of system security measures are handled by IT, Salvi says, a small fraction of security threats are responsible for nearly 19 out of 20 cyber attacks.
“They all start with phishing emails,” says Salvi. “They’re trying to get keys instead of breaking locks.” Some phishing attempts can fool even a wary user, masquerading as urgent messages from HR or the C-suite. Covid lockdowns put end users in a position to do more damage and the security strategy has been adapting quickly.
Unlike traditional end-user security models, a user’s initial login to an untrusted environment—even one authenticated by fingerprint, face scan, or multi-factor authentication—is not the end of surveillance. Once in, zero trust follows discreetly as users go about their cyber-day, making sure they’re not up to something nefarious and haven’t mistakenly clicked on a link that opens the door to a hacker. Aside from the occasional request to re-authenticate, users won’t notice zero trust unless they decide they can’t trust you and lock you out of the places you want to go.
“I don’t have to depend on the user to do the right thing for security to work,” says Salvi. “They don’t have to remember a complex password or change it every three months or be careful about what they download.”
This content was produced by Insights, the custom content arm of MIT Technology Review. It was not written by the MIT Technology Review editorial board.