Advances in security technology have forced cyber attackers to turn to the weakest link in the security chain – the human element. With 88 percent of security breaches caused by human error, technology teams across the Federal government are searching for ways to address the human side of cybersecurity to keep networks and systems safe while also meeting Federal security mandates.
MeriTalk recently sat down with Zane Bond, director of product management at Keeper Security, to discuss how user experience plays a role in cybersecurity and can help reduce mistakes that lead to security breaches.
MeriTalk: It seems like every week we learn about another security breach on the news. How often does human behavior play a role in security breaches, and how?
Bond: The way bad actors attack agencies and organizations is constantly evolving. They will always try to find the path of least resistance. Back before there were strong network security protocols, cyber attackers would attack the network directly. So, technology teams locked systems down. Then the attackers moved to the endpoints. So those were locked down. As the easy technology target components were eliminated, attackers turned to human-centric attacks through social engineering methods like phishing. In these types of attacks, employees are tricked into either clicking on a link, opening an attachment, or sharing personal information. When the employee falls for the bait, the attackers can get into the network and do their damage. Unfortunately, in today’s world, the human element is the current weak point on the security chain.
MeriTalk: There is a constant battle between technology teams that want to implement strong security protocols and end users who want an easier, better, or simpler user experience. How can agencies create a balance between the two?
Bond: Whenever possible, don’t go for balance. If you make a product too complex to use through increased security protocols, users simply won’t use it. They will find a workaround to get their jobs done, and that shadow IT leads to significantly increased security risks. Meanwhile, the technology team has a false sense of security because they think employees are using the security tool they implemented. Instead of finding a balance, start with focusing on the user experience – technology that will make people’s lives easier. Then, find the security tools to make that happen. Many security products improve the user experience instead of adding additional barriers. With Keeper Security, we looked for user pain points in password security and access. We then built a solution that first improved their experience – which meant they were more likely to use the tool – and then developed the security on the back end. If you find a tool that makes people’s lives easier that just happens to be more secure – you get the best of both worlds.
MeriTalk: How, in fact, can security technology create a better user experience?
Bond: When we implement security, there are mandates and compliance regulations to meet, but if you focus solely on the rules, you may create security features that make tools very difficult to use. When building or implementing any new security technology, it’s always a good idea to do a sanity check. Run through the security protocols yourself to understand the experience from a user perspective. If it’s too difficult for you to use, imagine what it will be like for your users who have to go through those protocols several times a day. Mandates, policies, and compliance regulations inform technology teams that they have to secure systems. How they do that is generally up them. If security is approached from a user perspective, technology teams will have more success in meeting the mandates and compliance requirements because their users will actually use the more secure tools.
MeriTalk: Since the release of the Biden administration’s Executive Order on Improving the Nation’s Cybersecurity, agencies across the Federal government are quickly moving to a zero trust architecture to secure Federal systems and networks. Federal CISO Chris DeRusha reported “tremendous progress” to a House subcommittee. What are the greatest successes you have seen so far, and what pitfalls should technology teams be aware of as they move forward?
Bond: The order and controls around zero trust in the cyber EO really hit the mark. It’s refreshing to see. The cyber EO is good for security and it’s really good policy. Agencies should keep in mind that zero trust is an evolution from previous security practices, which will continue to evolve as technology advances emerge – and as bad actors find new ways to breach systems. Zero trust isn’t a destination. Technology teams will always have to remain vigilant.
MeriTalk: Password security is a component of a zero-trust architecture. What is human-centric password security, and why is it essential securing Federal networks?
Bond: Verizon recently published its 2022 Data Breach Investigations Report, which showed that 66 percent of breaches were caused by compromised credentials, so password security is extremely important in stopping bad actors from getting into your network. A zero-trust architecture is built on the idea that people need to be authorized and validated whenever they access different areas of the network. Human-centric password security is really about ensuring the zero-trust principle of least privilege by monitoring users and their network activities and intervening before suspicious behavior escalates into a full blown breach. Through constant monitoring, technology teams can get a picture of what is normal and what is suspicious behavior. When they see something suspicious, which is usually flagged through alerts, they can contact the person to see what may be going on. Keeper Security reports on hundreds of event types across our ecosystem to support this effort.
MeriTalk: Most people look to technology teams to improve cybersecurity, but securing agency networks and data is everyone’s responsibility. What can government leaders do to shift user mindsets and user behaviors among their employees?
Bond: Because there have been so many high-profile breaches recently, awareness is no longer the problem it used to be. People know cyber attackers are trying to break in. Now it really comes down to identifying potential types of attacks, and then educating teams about those attack methods so they can stay vigilant. Security tools can only get you so far. You have to train people on what to look out for to reduce mistakes that lead to breaches.
MeriTalk: Along those same lines, the Biden administration issued an Executive Order on Transforming the Federal Customer Experience and Service Delivery to Rebuild Trust in Government. While primarily focused on constituent experiences, what elements in that EO can also be applied to government employees to improve their user experience? How can the spirit of the EO be met while also keeping government networks secure?
Bond: To meet the customer experience EO mandates, agencies have to understand service delivery from the customer perspective to learn how to improve it. Implementing security protocols should be handled the same way. Technology teams need to know how easy the tool is to use in practice by testing it out as a user. Understanding how the security tool affects users on a day-to-day basis is really important for the security tool to be effective.
MeriTalk: How does the Keeper Security solution reduce risks associated with the human element of cybersecurity?
Bond: Keeper Security meets stringent zero-trust security protocols on an architectural level – it’s just built in. We address the human element of cybersecurity by making things easier for users. One of our simplest components is logging in and storing credentials. Agencies could have so many security layers that just getting through that front door with your credentials and then accessing the internet to do your job could take a long time. Employees are under deadline, and they just want to get to where they need to go quickly. With Keeper Security, the user simply goes to their vault and chooses what site they want to log into, and we do the rest. Securely stored passwords are auto-filled, making access faster and easier. The user is on their way to a more productive workday. But there’s an enormous amount of security stuff that goes on under that, from validating the website, checking cross-site scripting, checking SSL certifications, checking encryption – stuff that users and technology teams no longer have to worry about. Agencies can have the best of both worlds with the Keeper Security solution – a security tool that improves the user experience.
MeriTalk: How does the Keeper Security platform integrate with other zero-trust security components?
Bond: Integrations are foundational to what we do. We integrate with existing security tools, including single sign-on, Active Directory, multifactor authentication, email verification, and even hardware keys so users can authenticate seamlessly. Through integrations, we are also able to enforce policies that are implemented across the entire environment, helping agencies stay compliant. We like to make things easy for users and also for the tech teams. Because we integrate with tools teams already have in place, there aren’t a lot of new things to learn. Our integrations also mean that implementation is fast. From a deployment perspective, if an agency has an account, employees literally go to the website, click “sign up,” and they are done. Team members could be up and running in five minutes. You don’t have to install appliances or get special approvals.
MeriTalk: What makes the Keeper Security platform different than other solutions on the market?
Keeper Security is the only password manager that is FedRAMP authorized, making it really simple for agencies across the Federal government to implement. We are Americans with Disabilities Act 508 compliant, so people with disabilities can access their files with screen readers. Beyond that, we include zero knowledge in our zero-trust architecture, which I think will eventually be a recommendation or policy from CISA. With zero knowledge, we as the vendor have no knowledge of what is inside a user’s vault. We don’t know what passwords are stored in there, and we don’t know where users are logging in from. If we are ever compromised, user data remains secure. Adding zero knowledge to the zero-trust architecture is really on the forefront of current security thinking. Finally, Keeper Security solutions are just easy to use and easy to deploy.