Skip to NavigationSkip to Content

27 Jan 2025

readStrategy

5 min reading time

Behind Security Blind Spots: A Lesson in Predictable Human Behaviour

A man working on a tablet device.

The challenge: Go beyond surface-level security

When a client approached Chaleit for a comprehensive security assessment, they were confident in their defensive posture. However, our established partnership enabled deeper conversations about cyber security maturity, fostering a collaborative approach to identify opportunities for improvement. 

With state-of-the-art security tools and multi-factor authentication (MFA) in place, they believed their systems were well-protected. They challenged our team to conduct a "gloves-off" red team exercise: an attempt to breach their systems through any means possible.

"The client believed that they had all sorts of protections in place and wanted to see if their defences were working as expected," explains Balaji Gopal, VP of Technical Services at Chaleit.

What followed was a lesson in how predictable human behaviour can compromise even the most robust security systems.

The human element

Our investigation began with a thorough analysis of the organisation's digital footprint, including examining previous data breaches. A pattern emerged: several user accounts showed similar password structures, typically combining the company name with predictable number sequences.

This discovery led to a broader investigation that revealed a concerning trend. 

Out of approximately 400 accounts, 25 were found using variations of the same predictable password pattern. While this might seem like a small percentage, consider that cyber attackers only need one successful entry point.

The MFA myth

One of the most significant findings challenged a common security assumption: that MFA serves as an impenetrable barrier even if passwords are compromised. 

Our team discovered that while the organisation had implemented MFA for their Microsoft accounts, several critical internal applications exposed to the internet didn't require this additional security layer. More so an external application had various parameters weaved into it which meant the implementation of MFA was not robust (which means there were opportunities to compromise it).

This oversight provided an entry point that gave access to sensitive systems containing user authentication logs, asset inventories, and detailed vulnerability information — all without triggering any meaningful security response, an increasingly critical aspect of modern cyber defence.

The situation illustrated how partial security implementation can create dangerous blind spots.

Detection without action

Perhaps most concerning was the revelation of how security alerts were handled.

The organisation's security tools were detecting suspicious activities, but there was a clear disconnect between detection and response. This phenomenon isn't unique. We've observed similar patterns across multiple organisations where security teams see alerts but hesitate to act, often due to:

  • Fear of automated intervention causing disruption

  • Uncertainty about the severity of the threat

  • Lack of clear response protocols

  • Alert fatigue from too many notifications

As Balaji emphasises, "Logs are the single source of truth. If your logs say something is wrong, act on it now." This simple yet powerful principle often gets lost in the complexity of modern security operations.

Practical lessons and recommendations

Our engagement revealed several key lessons for organisations looking to strengthen their security posture: 

1. Password policy implementation

  • Implement strict password complexity requirements

  • Create comprehensive blacklists of commonly used password patterns

  • Enforce minimum password lengths of 15 characters or more

  • Regularly audit password patterns across the organisation

2. MFA integration

  • Ensure consistent MFA implementation across ALL internet-exposed services

  • Regularly audit MFA coverage and effectiveness

  • Test MFA implementation with real-world scenarios

3. Security alert response

  • Develop clear protocols for alert investigation and response

  • Implement automated response procedures where appropriate

  • Regular training for security teams on alert prioritisation

  • Monitor Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR)

Building a security culture

As revealed by multiple engagements, the most sophisticated security tools in the world can't compensate for human behaviour and organisational shortcuts. It's like having a plane with the best avionics in the world and putting the wrong grade of fuel in it. The technology might be perfect, but fundamental oversights can still lead to failure.

In our team's experience, the gap between having security measures and implementing them effectively often comes down to human factors. As organisations continue to invest in advanced security tools, they must pay equal attention to understanding and addressing human behaviour patterns that could compromise these defences. 

The client's response to our findings was telling: while they were aware of potential password-related vulnerabilities, they hadn't fully grasped the potential impact. This understanding led to immediate action to address the identified gaps, demonstrating how practical demonstrations of risk can drive meaningful change in security practices.

In the end, effective security isn't just about having the right tools but about understanding how human nature interacts with these tools and building systems that account for both technical and human factors.

Are you confident about your organisation's security posture? Don't wait for a breach to expose your vulnerabilities.

Get in touch for a security health check to help you discover and diagnose hidden risks in your security infrastructure.

Need expert help?

Let's cut through the noise and talk about your real security needs.

Connect now

About this article

Series:

Behind the scenes

Topics:

  • Strategy

Related Insights

Profile shot of Matt Foster.

Technical

Matt Foster: Cybersecurity isn’t a tick-box exercise

Simon Hodgkinson

Technical

Simon Hodgkinson on Learning to Speak Up and Creating a Culture of Risk Management

Portrait of Shana.

Strategy

Risk as Opportunity: From Avoidance to Strategic Exploitation

Your Cookie Preferences

We use cookies to improve your experience on this website. You may choose which types of cookies to allow and change your preferences at any time. Disabling cookies may impact your experience on this website. By clicking "Accept" you are agreeing to our privacy policy and terms of use.