On our most recent #Cybeers session, we considered the various aspects of security vs. usability at length. The topic was inspired by a recent article by ITnews based on the myGovID system, which is an authentication system for people across Australia, created by the ATO.
The article touched on the vulnerability of user data being stolen via a fake website that appears legitimate to each user. This fake website, as this article says, requests visitors for their myGovID authentication, which is sent through myGov.
When users receive a notification for authentication on their phone, they enter data that redirects them to the fake site, allowing the attacker to misuse the shared credentials to log into the real system as that specific user.
Even though the ATO launched this system to avoid password use, it’s easy to argue that most users are not familiar with this kind of process, which may result in easier, more successful phishing attacks. Even without any technical vulnerability in the system, it is being exploited.
This is precisely how phishing attacks are becoming more sophisticated.
While the article recommends that we avoid this system, I believe that we should avoid sharing credentials on suspicious sites, instead. Systems like my GovID should implement extra steps to make their system more secure for users without compromising the user experience.
While this is true for any security strategy, how can it be done?
The myGovID system attempted to make their platform more user-friendly but ended up exposing their users to greater security risks. This is a recurrent theme we see in this industry.
It’s up to organisations to strike a balance between security and usability when they implement certain measures in their systems. They must make life harder for an attacker trying to steal data from users without making these steps a nightmare for their teams or their customers.
This is exactly what we do at Triskele Labs; we help organisations understand what risks they face and how they can mitigate them without alienating system users.
This is also the reason behind our name—Triskele Labs; because there’s a ‘risk’ in everything we do.
There’s a lot of negative commentary on MSSPs, which also means that SIEM (Security Information and Event Management) is no longer valid because it raises too many false positives.
This is certainly not the case.
As an MSSP, we work side-by-side with our clients to identify specific issues and inform them if these threats are targeting a system with sensitive data in their organisation and put that information in a more secure knowledge base. This doesn’t mean that we neglect the human aspect of this process.
Make no mistake; usability is highly important for security. Whatever security measures you adopt, you need to make sure that they don’t make the user experience cumbersome for your teams or customers.
With the right security service provider, striking this balance is easier. Before you bring them on board, understand what their values are and what they prioritise when they implement security solutions for your company.
Security is often overlooked because it’s perceived as overly complicated or confusing. It’s high time that we move in the opposite direction.
Security and usability do not need to be seen as tradeoffs.
Businesses can execute strategies that ensure enterprise security and boost usefulness and convenience for users at the same time.
At Triskele Labs, our penetration testing services or security awareness training not only improve your security but also improve the usability of these elements of your strategy. We present the right solutions to specific needs without compromising the user experience.
Get in touch with us today if you require more direct security support.