Some 17 years ago, Bruce Schneier, security expert and CTO at IBM Resilient said, “Only amateurs attack machines; professionals target people.” Almost two decades later, the quote appears prescient. As cyber threats continue to rise on a global scale, humans, rather than technology infrastructure, are the primary target.
At Workday Rising Europe, Workday’s security product manager Archana Ramamoorthy looked at why hackers seek to exploit human weakness and how businesses can build a plan to prevent, detect, and respond to this increasing threat.
“Phishing remains one of the most popular forms of hacking, with 30 percent of phishing messages and 12 percent of phishing attachments or links being opened by users. But there are three common-sense steps to take against phishing attacks and keep users and data safe,” said Ramamoorthy.
The first step is prevention, described by Ramamoorthy as “at-the-door authentication.” Prevention includes the usage of password managers to generate secure passwords and to have good failure policies in place. It also incorporates multi-factor authentication (MFA), which is something the user knows, owns, or, in the case of fingerprint or facial recognition, is.
“At-the-door authentication actively encourages behavior that decreases susceptibility to attack during initial authentication. Workday delivers a globally deployable MFA via app, through one-time access codes, and frictionless MFA via SMS,” said Ramamoorthy.
Ramamoorthy went on to describe the second phase of prevention, which is the careful management of authentication policies.
“Organizations should understand who their users are, what their roles are, and how authentication requirements change across roles. It’s important for businesses to understand that policy reviews and updates are critical over time—as security threats evolve and users remain a constant target,” she said.
The final element of prevention is “just-in-time” authentication for the most sensitive user tasks. Also called “step-up authentication,” tasks that trigger this might include a user accessing a specific set of financial data, which would require an additional form of authentication that would only grant access for a short period of time.
Of course, prevention is not always possible. When developing a battle plan for cybersecurity, detection is the next key area for consideration, and Ramamoorthy said that being able to identify login patterns is crucial. Workday provides organizations with the ability to report on login details: IP address; username; and whether, and why, the login attempt was or wasn’t successful.
The second phase of detection is understanding user activity. Administrators and auditors both need to understand how users engage across the Workday system. It’s important to understand context, and have the ability to drill down into the sign-on specific information behind login attempts.
Finally, it is important for organizations to have triggers for suspicious activity based on pre-configured rules. Ramamoorthy said that alerts should be used to take action on user privileges to minimize the time it takes stop suspicious activity.
“It’s also important to create a culture of security, whereby employees are continually given education and training around the tell-tale signs and warning areas around cybersecurity.”
Ramamoorthy’s final areas of focus were response and analysis. This includes how to initiate “first aid” to quickly contain an incident and lock out the offending user. Ideally, organizations will have an incident response playbook—without deciding who should be involved in stopping and then analyzing a security incident, companies risk a flatfooted or chaotic reaction.
“It’s also important to create a culture of security, whereby employees are continually given education and training around the tell-tale signs and warning areas around cybersecurity. This should involve phishing exercises, with test emails sent to employees to gain an understanding of how many are clicking dubious URLs,” Ramamoorthy said.
The pace and frequency of cyber attacks show no signs of slowing, nor does the focus on targeting human error as an entry point. Businesses will not be able to prevent every single attack, but a more proactive approach to prevention and detection and better responses and analysis will help limit the impact of such attacks.