Mainframes have always had a bit of a superhero reputation: rock-solid, ultra-secure, and always up. They’ve powered banks, airlines, and governments for decades without so much as blinking. But I want to share an uncomfortable truth: even the most secure systems in the world can’t defend against human mistakes. Yes, even in mainframe environments.
Human error is still the hidden vulnerability behind many major cyber incidents.
For years, we’ve taken comfort in the mainframe’s legendary reliability. But as time goes on, it’s clear that human error is still the hidden vulnerability behind many major cyber incidents. It’s not that people are careless. It’s that the systems they manage are incredibly complex, and the pressure to “keep things running” often outweighs the incentive to “lock things down.”
The Fortress with a Flaw
Mainframes are built for stability, but their age and complexity can make them harder to secure than you might think. Imagine decades of accumulated code, thousands of batch jobs, and countless users with different access levels, all layered on top of one another. A single oversight – the wrong file permission or an outdated credential – can create a crack in what looks like an impenetrable fortress.
Human behaviour introduces risks for various reasons:
- Complacency: The belief that “it’s always been done this way” can lead to security shortcuts.
- Convenience: Taking the path of least resistance is human nature, but it often bypasses crucial security controls.
- Pressure: Tight deadlines and the demand for constant uptime can lead teams to prioritise speed over security.
- Fatigue: In a 24/7 operational environment, mistakes are simply more likely to happen.
None of this is new. However, as mainframes become more connected to modern APIs, cloud systems, and web front ends, these old habits are becoming new and critical liabilities. What was once an isolated risk is now a potential entry point for attackers to exploit.
Real-World Reminders of the Human Factor
We don’t have to look far for examples of how human oversight can lead to disaster. Recent events have shown just how devastating these failures can be, even when mainframes are involved.
Consider the massive breach at Change Healthcare that crippled the US healthcare sector. Attackers gained access to core systems – including COBOL, DB2, and IBM z/OS components – disrupting transactions nationwide.
Reports suggest that misconfigurations in remote access and weak segmentation between environments were key factors. It wasn’t a sophisticated zero-day exploit that brought the system down. It was human oversight and a delay in addressing the vulnerability.
The threat isn’t always a weakness in the technology itself,
but in human processes.
In another recent case, a major European bank faced allegations of unauthorised access at a North American data centre housing mainframe systems. Early details point to weaknesses in both physical and logical access controls.
This sounds like a familiar story for anyone who has worked in a large IT shop: old permissions that were never revoked, complex operational handoffs, and the dangerous assumption that “someone else” handled the security review.
These incidents are tough reminders that the threat isn’t always a weakness in the technology itself, but in the human processes surrounding it.
How to Build Stronger Defences
Strengthening your mainframe security isn’t about buying a magical new tool. It’s about focusing on the people and processes that manage the platform. Here are five practical steps to build a more resilient security culture.
1. Make Security Part of the Culture
Security awareness in mainframe teams should be as regular as IPLs and backups. It can’t be a one-off training session. It needs to be an ongoing conversation about risks, responsibilities, and best practices.
2. Kill the Shared ID
Every user, without exception, should have a unique, named account with clear privileges. Generic or shared IDs create accountability for black holes. These privileges must be reviewed regularly to ensure they align with the principle of least privilege, giving people access only to what they absolutely need to do their jobs.
3. Automate Where You Can
Humans make mistakes, especially with repetitive tasks. Automate security processes like patching, password resets, configuration audits, and compliance checks wherever possible. Automation reduces the chance of error and frees up your skilled teams to focus on more complex security challenges.
4. Train Continuously
Cybersecurity threats evolve, and so should your training. Run short, scenario-based refreshers for system programmers, operators, and developers. Focus on real-world situations they might encounter to make the training relevant and memorable.
5. Encourage Transparency
Your team should feel safe reporting a mistake without fear of blame. A culture of transparency means you can identify and fix a vulnerability before an attacker finds it. When people hide errors, small problems can quickly escalate into major breaches.
The Machine Isn’t the Weak Link
The next time you hear someone say, “Our mainframe is unhackable,” maybe remind them of this: it’s not the machine that gets tricked, but the person running it.
The greatest strength of the mainframe is also its biggest challenge. Its reliability can lull us into a false sense of security, causing us to overlook the simple human factors that pose the greatest risk.
Ah, the fat fimger syndrome.