LastPass recently announced that they have been subject to a data breach, with some of their source code stolen (don’t worry, master passwords appear to be safe). It triggered a few loosely related thoughts about the situation, with people being the common thread.
We aren’t here to demonise LastPass. I’m going to go out on a limb and assume that LastPass, given the industry it operates in and the nature of its flagship product, is very good at security. But that should be sobering: if LastPass can be breached, what does that mean for you and your organisation?
In this blog let’s explore:
- People as your weakest link in security
- What happens when a link breaks
- Security by design
- Assurance over your security controls
People as your weakest link in security
The information disclosed by LastPass – at least as of this writing – is that “an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account”. While we don’t know any further details about how the compromise occurred, given it is related to a single account I’m going to go out on another limb; it’s probably people related.
Even if that assumption doesn’t hold in this case, it is often said that people are your weakest link in security, and their actions can undermine multiple layers of security controls. Based on an EY survey[1], 39% of Canadian respondents considered careless or unaware employees as their top vulnerability to cyber-attack. According to Proofpoint’s 2022 Human Factor report, 55% of respondents admitted to allowing friends and family to use their work computers and phones, and up to 20% failed phishing simulations and opened unsolicited email attachments[2].
In the realm of security itself, the people factor is more encompassing. Security doesn’t just happen; someone has to implement the security technology in the first place, which has the potential to include configuration errors. Once implemented, many technologies require humans to run them, or to intervene if things don’t go to plan. Patching and addressing vulnerabilities also require people to make decisions about when to prioritise these activities and to initiate them. Part of the human condition is that sometimes we just, you know… forget stuff.
What happens when a link breaks?
I’d like to flip the human element on its head for a moment – what happens to your people after a breach? Let’s pose a scenario. You’ve been running a monthly phishing test on your employees for the last 12 months, and while it is improving you have around a 5% failure rate. There is some consistency, but it isn’t always the same employees that get caught out.
Then one day, one of those employees falls victim to a real phishing attempt that results in a breach. Customer data is lost, business is interrupted, there is financial loss, and reputation suffers.
How does that employee feel? Do you discipline or fire that individual? If you do, what are your staff thinking the next time you run your phishing test or share the results? Is it a learning opportunity, or is it now perceived as a potential ‘gotcha’? Perhaps more importantly, does it influence how likely your employees are to report near misses in future?
It reminds me of this quote:
“Recently, I was asked if I was going to fire an employee who made a mistake that cost the company $600,000. No, I replied, I just spent $600,000 training him. Why would I want somebody to hire his experience?”
Thomas John Watson Sr., IBM
I’m not suggesting there is an easy answer on how to deal with this scenario, particularly if the technology team are implicated in a breach. The point is to look beyond the mistake or oversight and acknowledge the humanity of the people behind them. If one link of your chain breaks, consider what action will keep the rest of the links as strong as possible.
Security by design
At Protecht we love using risk bow ties to identify the causal pathways that will ultimately lead to failure to meet objectives, including cyber related risks. Before you consider throwing controls at every potential cause, consider whether you could re-engineer your processes or architecture to eliminate some of those causal pathways altogether. LastPass’s choice to never hold Master Passwords is an example where design has eliminated the potential for those passwords to be breached en masse. Investment spent on controls might be better spent on changing those processes altogether.
Mapping out those causal pathways can also highlight where the single points of failure are – including people – so that you can address them appropriately.
Assurance over your security controls
I said earlier that people forget stuff. The best way to minimise this is to obtain assurance that security processes are designed and operating effectively. We do this in Protecht.ERM by:
- Documenting security controls, with associated testing plans
- Defining and monitoring Key Risk Indicators and Key Control Indicators
- Requiring attestations that required tasks (such as patching) are regularly completed, or that controls are operating as intended
- Tracking incidents and near misses to support continuous improvement
- Reporting to identify areas of concern to enable action
With effectively designed workflows and oversight, the likelihood of critical tasks being overlooked is greatly diminished. Which brings us back to people, and more specifically culture. People need to be empowered to not only perform their required tasks, but also be able to confidently speak up when something isn’t designed or operating in the way that was intended.
Closing thoughts and questions to consider
If the actions or inactions of your people contribute to a breach, how will you respond? Do any of your existing cyber breach response plans or tests consider the human element?
Have you mapped out the causal pathways that could result in a cyber breach? If not, how do you know your controls are sufficient?
What assurance processes do you have in place over your security measures? Are they sufficient to provide timely information about control weaknesses?
Are your assurance processes supported by a culture that allows your people to speak up?
Cyber security, risk controls and embedding risk culture in your organisation are all best considered as part of an enterprise-wide risk management framework. If you want to know more, our Enterprise Risk Management: Moving from a Siloed to a True Enterprise Approach webinar is available to watch on demand. Register and view the webinar here.