It’s been a couple of years since I stepped down as CEO of Litmos LMS (Learning Management System) but I’ve always had a passion for learning so have tried hard to stay connected to the industry. I’ve always had a keen interest in security and that interest grew as Litmos started to appeal to larger companies. Security reviews and concerns would often come up in the bigger deals and Litmos would always satisfy requirements. I guess it was a culture of security from the early days that eventually paid off in the long run.

By the time I was ready to move on from Litmos it was clear to me that protecting the sensitive data and trade secrets companies upload into software products like the LMS would be my next gig. My first attempt to address this problem was to look at backup, but while this is useful I wanted to get to the root cause of why the data gets lost in the first place. A SANS Institute report revealed that 95% of the data that gets breached or stolen online starts with a single user getting their login details compromised. In the security industry they call this a phishing attack, for the rest of us it’s just a nightmare followed by multiple expletives.

Why does LMS security matter?

So let’s roll things back a bit and look at the state of security in the LMS industry. A software service where companies upload trade secrets, go to market strategies and various other types of sensitive data that could spell disaster in the wrong hands. A breach of the LMS could result in a loss of competitive advantage or worse, a compliance infringement. Either way it’s bad.

Fortunately most of the leading LMS’s have good security practice. They secure backend infrastructure, use SSL, offer Single Sign-On, adhere to certifications like SOC2, get external security audits, and a few also participate in bug bounty programs. I tip my hat to those vendors for a job well done and as a customer I’d be looking for a new LMS if they don’t support these basic hygiene factors.

We’re still exposed.

So herein lies the problem — LMS vendors are taking care of backend infrastructure and process security, but it doesn’t change the fact that 95% of data breaches are through the front door of the house. Attackers know you do a good job securing infrastructure so the end users are a much easier target.

This is an incredibly hard problem to solve as most users simply don’t care about security, they don’t listen to the training, they don’t use a password manager, and they’re not going to add friction to their life by enabling two factor authentication.

It’s unrealistic for software vendors to expect the average user to keep up to play with the latest security trends.

It’s not the user’s fault

The worst part is when a breach does occur the software vendor will raise their hands and say, we have good security, it was the user’s fault. This is something I can’t agree with. It’s unrealistic for software vendors to expect the average user to keep up to play with the latest security trends. They will never get ahead of the game which is probably why they don’t bother to try in the first place. Either that or they just don’t like the hacker stereotype of wearing black hooded sweatshirts and watching Mr Robot.

The learner experience

Back to the LMS. When we started Litmos one of the mantras that we would repeat over and over again was that we had to create an awesome experience for the learner. We had to remove barriers and complexities that made it hard for learners to quickly access the training. We knew attention spans were shrinking and that one of the major complaints about LMS back then was learner’s getting stuck just trying to get started and eventually giving up.

With this in mind we need to create an end user security system that does not interrupt the learner experience but still adds a valuable layer of protection. We designed ThisData from the ground up to do exactly that. By adding a few lines of code to an LMS we can monitor learners and notify them if we think someone other than them has accessed their account. It’s similar to those email notifications that you get from Facebook when you sign in from a new device, only it’s all we do and we’re very good at it.

Some of the industry’s leading LMSs are joining us on this journey to protect the user and ultimately, protect their customers’ data from falling into the wrong hands. If you want to discuss your current security practices and how you too can demonstrate leadership in the LMS industry, let me know. I’d love to chat.

…

This article originally appeared on the ThisData blog.