Uber, Optus and Medibank are cautionary tales in corporate network access, writes MyCena’s Julia O’Toole

As we enter into the New Year, I’m sure many of you will be evaluating your cybersecurity programs and identifying areas that need to be improved to help protect your business in the year ahead.

As you do this, I urge you not to overlook your corporate network access, because a foundational flaw in the way employees access networks could be putting you at risk, and it was a leading cause of breaches in 2022.

If we can say anything about 2022, it was a big year for data breaches. Uber, Optus and Medibank are just some of the companies that faced highly publicised attacks.

Yet, the bad news is, this scale and frequency of attacks will only get worse in 2023 if we don’t address this cybersecurity flaw which puts almost all organisations at risk.

In enterprise environments today, it is employees who control the keys to the most valuable asset – data. The data belongs to the business, the data is the business, but the enterprise does not control the keys to the data. Employees do.

Who owns the key to the kingdom?

This is because in all enterprise environments today, employees make their own passwords to access networks and corporate data. This built-in vulnerability results in criminals constantly targeting employees with phishing scams, knowing that when one individual gives away their corporate keys, they can enter and loot the corporate kingdom.

The bad news is, employees will always fall for the phish. It’s not their fault, they are there to do their jobs, they are not employed as security guards of your data. So, they should never have been given this responsibility in the first place.

Employees hold their passwords, working all across the world, and the businesses have absolutely no control over the strength of the password, if the employee has shared it, or if they use it across every single one of their online accounts. Yet this password is a doorway to the organisation’s most valuable asset.

Why Most Privileged Access doesn’t work

Of course, many enterprises try to mitigate this threat using single-sign-on or Privileged Access solutions, but they do very little to counter the threat.

In fact, with single sign on, all gated access points are removed – the digital network is kept completely open to an employee who holds the unique key that can unlock all the doors at once.

But what happens when that key falls into the wrong hands? Attackers are suddenly handed the maximum network access for that user from a single key. 

All digital access solutions try to solve is the problem of people having to remember multiple passwords. But by solving a technical problem, they have created a mathematical problem – meaning enterprises risk losing everything at once.

Imagine having just one key for your house, your car, your office, your savings…. And losing or forgetting that key! That model is not just illogical, it is mathematically insane.

Time to get personal

It’s critical we counter this threat now, because breaches are increasingly getting to people at a personal level, as we saw with Medibank, Optus and Uber last year. And it’s CISOs that are coming directly in the firing line.

Furthermore, insurance policies are also at risk. When organisations do not secure their network access properly, they are soon going to find their claims uninsurable, due to provable gross negligence.

Time is critical. CISOs must start thinking about their cybersecurity as a digital twin of their physical office security now. Segment and lock every door physically and digitally.

Never let every employee open all the doors at once with a single key, nor create their own keys as this just creates a volatile situation where a break-in can come from anyone anywhere.

This can all be achieved by using encrypted and segmented access solutions. By using these tools, passwords are encrypted, so employees don’t know them, which means they can’t be stolen or phished out of them.

And by segmenting every access to the network, no unauthorised intruders can travel across your network unobstructed. 

Not only does this significantly improve cybersecurity, but it also saves over $5.2 million a year per organisation on costly password resets, while also improving IT helpdesk productivity.

If you really want to improve your defences against breaches, you must start to reconsider how employees access your network and work towards regaining control of your data.

This is one of the only ways to achieve genuine cyber resilience and protect your data against the threat of breaches.

Julia-photo-LI

Julia O’Toole is CEO of MyCena Security Solutions