Warner Bros Studios London tour, with the sets and original material of the Harry Potter movies showing cybersecurity professionals need to address single points of failure

Why Cybersecurity Professionals Should Take a Page From Voldemort’s Book

Cybersecurity professionals are usually the heroes of their stories, defending their organizations from ever-evolving cyberthreats. But to adapt to the rise of hybrid and remote work, they may have to take some pointers from an archvillain: Harry Potter’s dark wizard nemesis, Lord Voldemort.

The reason is simple. Companies used to be able to protect their data simply by securing their network perimeters. But with the rise of remote and hybrid work, that perimeter has evaporated, leaving many organizations vulnerable. The 2020 SolarWinds hack painted a picture of how issues around software integrity can lead to attacks on entire networks, even when traditional cybersecurity protections are in place.

A more proactive approach is necessary to mitigate attacks. Instead of attempting to fend off cyberattacks with firewalls or other perimeter-based protections, IT professionals need to shift their mindsets to assume their network is already compromised. Eliminating single points of failure (SPOF) in their systems is key to creating solutions that are secure by default. And avoiding SPOF was something Voldemort was excellent at.

Avoid single points of failure

If you’re a Harry Potter fan, you’ll remember when Voldemort divided parts of his soul into seven different horcruxes to protect himself. The horcruxes, which can be objects or people, act as points of defense, and Voldemort can only be killed when all seven are destroyed. The Dark Lord may have succeeded as an IT professional, because this is essentially the same type of protection that can help create a more secure network.

Voldemort didn’t have an SPOF, and neither should your network. If access to your entire network can be authorized through one password, individual or other point of entry, your system is more vulnerable to cyberattacks.

For example, if a single employee has a key that grants access to the entire network, attackers only have to compromise one account to take over your entire system. The risk of this type of breach is even greater considering 42% of remote workers have their passwords written down and 30% have reused passwords. Replacing passwords with alternative authenticators like FaceID doesn’t change the fact that you still have an SPOF.

Creating solutions that are secure by default — and that strike a balance between cybersecurity and usability — is critical, but only possible with cryptographic security. Comparable to how Voldemort split up his access points, you need to separate cryptographic keys into various parts for excellent end-to-end security posture.

How to maintain strong cryptographic security

As remote and hybrid work continues, it’s critical to implement and maintain usable yet secure practices and systems. If your security measures aren’t user-friendly, employees will navigate around protocols, leaving your systems more vulnerable to cyberattacks. But you also need top-notch security to reduce the risk of insider and outsider cyberthreats.

Network security can no longer be an afterthought: In 2021, you need systems that are designed for security, with encryption turned on by default to prevent users from shutting off security features. With that in mind, let’s take a closer look at how you can maintain strong and agile cryptographic security.

  • Divide credentials for access. As previously mentioned, you don’t want a single key to grant access to your entire network. Instead, build a secret sharing scheme that distributes pieces of information or access keys to various employees. If you’re using divided credentials, a bad actor would need to hack multiple accounts or gain the cooperation of every employee with a piece of that key to gain unauthorized access to a network. And that’s less likely to happen.
  • Consider public key infrastructure (PKI). A PKI solution offers a healthy balance of usability and security, allowing employees and customers secure access to data and documents through certificate-based technology. The combination of software, hardware, encryption and policies that constitute PKI can be used to securely sign digital forms, secure emails and encrypt important documents. This technology provides frictionless, built-in security — your users most likely won’t even notice the protections are there.
  • Implement multi-factor authentication and password managers. If you require employees to create long, complex passwords without offering additional support, they’re more likely to navigate around security protocols and write down or reuse passwords. A password manager provides more manageable security without the hassle of remembering long strings of letters and numbers. The use of appropriate multi-factor authentication (MFA) is also an excellent way to add an extra layer of security — just make sure you don’t use authentication that relies on SMS confirmation. SMSs are built on a Signaling System 7 (SS7) protocol that can easily be hacked, enabling bad actors to intercept SMS MFA codes.
  • Regularly test your cryptographic techniques. It’s easy to deploy your cryptographic strategy — and ignore it. Unmanaged crypto opens a floodgate of vulnerabilities, including compliance failures and data breaches, that risk secure operations and customer trust. Technology is evolving faster than ever, so ensure your strategy evolves along with it by testing and updating regularly.

Think like the Dark Lord himself

Voldemort may not have been the hero of the Harry Potter books, but he was effective at protecting himself against threats. Thanks to the high level of security provided by his horcruxes, He-Who-Must-Not-Be-Named was able to live in secret for more than a decade.

Avoiding SPOFs by dividing credentials won’t fully prevent cyberattacks, but it will improve your overall security posture and compliance. And that alone is worth taking a page from the Dark Lord’s playbook.

 

Director of Product Security at Entrust