If we boil cybersecurity down to its essence, it comes to a balance between convenience for users of the systems and security of the system and its data. It is a constant tug-of-war. The easier an app or a system is to use, the fewer controls are in place to protect it. The more controls that are in place on a system, the safer the system is, however, it will be more difficult and cumbersome to use. Here is how it all works.
Users want to access their apps, systems, and data quickly and with little fuss. They do not want to go through, seemingly, unnecessary steps. Users don’t want to have to go through multiple verification stages. They want to access all their data in one place in an instant. In order to make this scenario possible, there can be few, if any, controls that serve to protect their data.
Controls like usernames and passwords, multi-factor authentication, and action-specific screens all help restrict access to data. They also take effort and time on the user’s part. Usernames and password do more than ensure that each other accesses only their own data. They also act as a means of authentication, or proving the user is who they claim to be. Having a different screen within a system for every type of transaction (reading data, changing data, sending data, etc.) forces the system to check that the user logged in is authorized (possessing permission) to conduct whichever transaction has been requested. For example, you may have a joint account with someone, say a teenage child. Each of you has a username and password and an ATM card with a pin number. Having a different username and ATM card for each of you makes it possible to determine which of you has performed a particular transaction. You want both of you to be able to see how much money is in the account (an account balance inquiry screen) and to deposit and withdraw money (transaction screens). You do not, however, want the teenager to be able to take out a loan on the account. In order to allow users to have varying actions available to them, different screens (transaction access) are employed. Based on a user’s authorization, they will or will not be able to access a specific transaction type. This is a control mechanism that limits some users from accessing parts of a system that they should not enter.
The trick is that as soon as we get a control in place and users become familiar and comfortable using it, threat actors find a way around it and we have to up our game. Every time this cycle repeats itself, the controls have to become more complex. It used to be enough to have a username and password. Then we had to implement two-factor authentication. Now, we are deploying multi-factor authentication including biometrics. So, that leaves us in an on-going struggle between making systems easy for users to utilize and keeping systems and data safe.
Comments