LastPass data breach

LastPass, one of the largest password managers, announced on Thursday that it had been impacted by a data breach, in which hackers were able to access source data code and technical data.

Despite customers passwords not being compromised in the attack, this has still called into question the security measures taken when protecting many individuals passwords. In this case, the breach was made possible through the compromise of one single developer’s account.

Below is a comment from Dominic Trott, Head of UK Strategy at Orange Cyberdefense, examining the breach and providing insights into the risk posed by the insider threat and the importance of prioritising the ‘human element’ of security. To do this, Dominic explains, businesses should focus on ensuring approaches such as ‘frictionless security’ and ‘security as culture’

“At the very least, it sounds like the LastPass developer whose account was compromised only had access to the applications and data specifically required to conduct their job, indicating that a role-based security policy was in place and that the user had sufficient awareness as to not repeat their username and password combination across multiple accounts. If either of these things were not the case, the malicious actor could easily have gained access to incredibly sensitive assets. It is this point that demonstrates both the risk that insider threats represent, as well as the importance of the human element within an enterprise security strategy.

“Respecting the ‘human element’ of security isn’t to eliminate all security risks, but rather to balance security and usability, allowing users to do their job, securely, and with a good grasp of security hygiene behaviour. As the cliché goes, even the best security technology is no good if users don’t understand it or even actively subvert it. A better approach encompasses two principles, alongside the deployment of technology: ‘frictionless security’ and ‘security as culture’.

“First, work out what users need to do in order to conduct their jobs, providing and enabling a technology environment that is secure by design. Tools and techniques such as cloud security posture management, DevSecOps and secure remote access are all examples of means by which to provide a ‘frictionless’ security environment that supports users doing what they want to do, where they want to do it, with minimal interference from security.

“Second, to make sure that users go beyond the bare minimum annual ‘sheep-dip’ of security awareness training, enterprises should aspire to a long-term approach of building security awareness into corporate culture. The key to this ambition is for security teams to understand what the business and the board needs and expects from them, then communicating this using language that is meaningful to their colleagues. This can be accelerated by appointing ‘security champions’ from within business lines who understand both security priorities and the concerns of their own teams, allowing them to make recommendations that address imbalances. Such approaches can help security teams to ‘recruit’ the user-base at large.”

For more news updates, check out our latest issue here.

Media contact

Rebecca Morpeth Spayne,
Editor, Security Portfolio
Tel: +44 (0) 1622 823 922
Email: [email protected]

About Security Buyer

Security Buyer is the leading authority in global security content, delivering expert news, in-depth articles, exclusive interviews, and industry insights across print, digital, and event platforms. Published 10 times a year, the magazine is a trusted resource for professionals seeking updates and analysis on the latest developments in the security sector.

To submit an article, or for sponsorship opportunities, please contact our team below.

Rebecca Spayne picture 2025

Rebecca Spayne

Managing
EDITOR

Georgina Turner image

Georgina Turner

Sales
Manager

Afua Akoto image - Security Buyer

Afua Akoto

Marketing Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

Vestas

Orange Cyberdefense comments on Vestas cyber attack

The wind turbine manufacturer Vestas has been hit by a cyber attack that impacted its internal IT systems and compromised data.
Scroll to Top