The Security Think Tank considers best practices in identity and access management and how can they be deployed to enable IT departments to combat cyber-attacks, phishing attacks and ransomware
Cyber attacks, phishing, and ransomware incidents are predominantly user-facilitated threats; their success is reliant on a human interaction. Relying solely on the next generation of technology to solve this issue is misguided; we cannot address a human problem with technology alone.
Security must shift to a more people-centric approach, as it is ultimately the individuals who require access, whose identities must be managed, and who need to be authenticated and it’s the people who are currently enabling the failures, even when that is inadvertent. We must recognise that this is fundamentally a people challenge, not merely a technological one. By prioritising human factors in our security strategy, we can build a more effective and resilient posture towards cyber attacks, phishing and ransomware.
This challenge isn’t new; it may seem so because we’re framing it as IT-centric. In reality, identity and access management (IAM) has been a fundamental practice for centuries, rooted in the principles of least privilege and need to know. What we often overlook is the importance of understanding our underlying information assets and identifying who truly needs access to them. By facilitating that access in a seamless manner, we enhance user experience while maintaining security. If we restructured our information assets to be more logical, user-friendly, and aligned with business functions, we could significantly improve our ability to manage access effectively.
Training and awareness continue to be neglected and underfunded, while technology receives a bigger share of attention and budget. Numerous reports, surveys, and presentations from security industry leaders consistently emphasise that effective training is crucial for enhancing our resilience against attacks. It’s time to prioritise investment in training and awareness, recognising them as vital components of a robust security strategy.
Technologies play a supportive role in combating these attacks but they ultimately depend on individuals to make the right choices. To build an effective defence, we must empower well-trained, security-conscious personnel who are backed by the right technology. Instead of having IT impose access restrictions arbitrarily, let’s engage our teams in identifying their access needs. By prioritising collaboration and understanding, we can create a security framework that truly protects both our people and our organisation.
Additionally, we must recognise that overly restrictive security practices can drive individuals toward risky behaviours, especially when they struggle to perform their jobs effectively. Just as laws differ in their approach, security policies should not mirror a Napoleonic framework, where users are limited to only what they are explicitly permitted to do. Instead, we should embrace a model that empowers users to fulfil their roles while maintaining security. It’s essential for security teams to collaborate with employees to identify solutions that enable safe and effective job performance, fostering a culture of trust and responsibility.
Shifting away from rigid rules is essential for progress, but it’s understandable that security professionals may feel hesitant, as clear-cut rules can be a comfort for some. User-centric security should be the future for genuine resilience.