As we get near the end of our tour of the ecosystem of breaches we get to people. We talk about Social Engineering, but in reality humans are the biggest security risk there is.
There are a few reasons for this. We can start with the fact that phishing has become more sophisticated, that there are websites that look just like your bank's website, and that there are emails that are getting more convincing and we're even getting artificial intelligence algorithms that are learning new ways to trick you into giving up your credentials.
But, to be honest, people are kind of lazy. People prefer convenience over security. This isn't anything new, and it doesn't really have anything to do with computer technology. It's been true since the dawn of time -- as long as we're comfortable we don't care much about security. When we're under attack, we build security until we're comfortable again... and then we start to tear it down again.
So this is going to be an ongoing cycle of security and convenience and what you're going to get people to actually agree to to be secure.
While people are lazy, they are also extraordinarily clever. They actively take things apart... "I want that convenience, so I'm going to spend a lot of effort to get rid of the security that I feel is in my way!"
It's this combination of increasingly sophisticated phishing tools, the balance of convenience and security and humans being so clever that they shoot themselves in the foot that means trying to change people isn't something we can really expect to do. Instead, we need to focus on Identity so we know the people really are the people they say they are and there really isn't any way for someone to impersonate you.
- Phishing is getting more sophisticated
- People choose convenience over security
- People are clever enough to circumnavigate security
- The only real solution is solid Identity Access Management