From McKinsey Insights: Securing software as a service
Having spent a lot of money on penetration testing to ensure the new website is secure, the tester then sent the report with some results from a different customers test. People are always the biggest flaw in any security, even people who are supposed to know a thing or two about security.
Cyber security is a big deal. But all the firewalls and malware scans in the world can’t protect against the biggest security flaw; people.
Looking over the shoulder of someone on the train and within two minutes I found out their name, email address, company they work for, their role, where they live, which bank they are with, three characters from their password, how much they have in their account, their partners name, which charity they support, what sports they are into, and what time they got in a school cross-country race in 2005.
This is the lock on the toilet door. It requires a four digit combination to get in, but it has been set up slightly wrong so that any combination of the four correct digits will open the lock. At first thought this seems like a bit of a security flaw as it decreases the chances of guessing the correct combination, but hey, it’s just a toilet, and actually it’s makes getting in easier as you only need to remember the four digits, not the order they go in too.
It makes me wonder if a similar approach could be used in securing other systems, so that the information that is used to get access doesn’t need to be 100% accurate but has a margin of error to allow for the user to make a mistake.