Portal
Forum
Devolutions Force
Hub Business
Hub Personal
Devolutions Send
Devolutions Academy
RDM
Workspace
Launcher
May the 4th is a special day for Star Wars fans around the world. It is also a big deal here at Devolutions (although nobody has shown up to work in a Chewbacca costume…yet).
Over the years, we have celebrated this hallowed occasion in a variety of ways. For example, we have shared 10 odd and fun facts about Star Wars, published a complete chronological timeline of Star Wars history, created a challenging Star Wars quiz, and last year we listed 10 classic quotes from Star Wars that apply to life in IT.
This year, we are delighted to reveal another installment in our May the 4th franchise: a look at six cybersecurity lessons that we can learn from Star Wars.
And so, we invite you to play some epic Star Wars music (such as this lovely selection), sit back, pour a glass of blue milk, and join us for some education courtesy of George Lucas and friends.
1. Network segmentation is a must
Even when we are watching it for the 10th (or 100th) time, we all cheer during “A New Hope” when R2D2 breaches the Death Star’s imperial network, and essentially gets total access to just about everything. Well, most of us cheer. The cybersecurity pros among us wince and cringe, because all they can focus on is the lack of network segmentation!
The lesson here is that organizations should establish secure just-in-time access to resources within internal and external segmented networks. Otherwise, those resources might as well be guarded by a nerf herder who wouldn’t even get served at the Mos Eisley cantina.
2. View patch management as a top priority
Remember that tiny defect on the first Death Star? You know, that little two meter hole about as big as a womp rat that, if fired upon, would obliterate a planet-destroying weapon that cost an estimated $850 Quadrillion to build? Think of that weakness like an unpatched bug that hackers can — and in many cases will — exploit: 60% of breaches are attributable to unpatched vulnerabilities.
The lesson here is that organizations should view patch management as a top priority. Multiple third-party tools are available, ranging from those that send push notifications when new patches are available, to more sophisticated solutions that can be configured to automatically scan, download, and install patches at scheduled times.
3. Use passkeys to resist phishing
Thanks to the brilliance of “Andor” (by the way season 2 already has a 96% score from critics over at Rotten Tomatoes!), many Star Wars fans are watching or re-watching “Rogue One”, and enjoying it even more. Except, that is, for cybersecurity pros, who can’t help but wonder: Don’t these people in a galaxy far, far away get any basic cybersecurity training?
Sure, it’s highly entertaining, but this flick is a case study in how to get victimized by phishing attacks. Think of how easy it was for Cassian to hang around an imperial droid and blend in with Imperial soldiers. Or how simple it was for Cassian and Jyn to wear Imperial uniforms and wander around the Scarif base. And of course, we can’t overlook Bodhi using an authentication code to get his ship past a security checkpoint. We could go on (but we won’t, because we don’t want cybersecurity pros reading this to start screaming).
The lesson here is that organizations should implement passkeys, which thwart phishing attempts due to cryptographic communication protocols that are used during authentication challenges. According to the Fast Identity Online (FIDO) Alliance, passkeys are currently the only practical phishing-resistant option.
To learn more, read this great article by Devolutions’ Subject Matter Expert, Adam, that explores the origins, mechanics, and practical applications of passkeys. Adam highlights the role of passkeys in advancing secure, user-friendly authentication methods. He also dives into how Devolutions has integrated passkey authentication into multiple products.
4. Build your cybersecurity foundation on the principle of least privilege (POLP) and zero trust
Yes, we get it: seeing Cassian Andor reprogram K-2SO was thrilling, and it was awesome when R2D2 finally opened the shield generator bunker doors on Endor. But let’s face it, these (and many, many other) breach attempts wouldn’t have worked if the Imperial Forces knew anything about POLP and zero trust. In terms of entertainment, it’s great that they didn’t. But in terms of cybersecurity, it was shockingly inept.
The lesson here is that organizations should implement both POLP and zero trust, which complement each other to create a strong, reliable cybersecurity foundation. POLP is a policy in which end users are only given the amount of access they need to carry out their jobs — and nothing more. And the guiding principle of zero trust is “never trust, always verify” (admittedly, Darth Vader might find MFA inconvenient, but it’s a small price to pay…unless he finds your lack of faith in his identity disturbing, in which case RUN!)
Read our new White Paper “7 Quick Wins for Cybersecurity in 2025” for advice and steps on how to establish POLP and zero trust in your organization.
5. Executives: Listen to your cybersecurity team
During “A New Hope,” in response to concerns that the Death Star could be vulnerable, Admiral Motti proclaims that “any attack made by the Rebels against this station would be a useless gesture, no matter what technical data they have obtained. This station is now the ultimate power in the universe! I suggest we use it!” As we all know, this unshakeable belief proved to be spectacularly fatal.
Unfortunately, some executives can mirror Admiral Motti’s over-confidence in their organization’s cybersecurity posture. They believe that data and devices are safe and secure — when in fact there are numerous vulnerabilities that, due to good luck rather than smart strategy, have not been exploited. That is, not yet.
The lesson here is that an organization’s executives and other decision makers should listen to their cybersecurity team, heed their warnings, and realize that intelligently spending money on cybersecurity security is not an expense. Rather, it is an investment that could prevent a catastrophic breach (kind of like being thrown into a Sarlacc Pit).
Forbes Councils Member Sivan Tehila articulates this crucial understanding: “Shifting the industry mindset from cost center to strategic investment involves realizing that investments in cybersecurity can generate positive returns, both in financial terms and in terms of protecting brand reputation, customer trust and intellectual property. By treating cybersecurity as a strategic investment, organizations proactively allocate resources and prioritize initiatives that align with their overall business objectives. They integrate cybersecurity into their strategic planning, decision-making processes and risk management frameworks.”
6. Great teamwork makes all the difference
Let us wrap things up with a powerful insight and lesson that is found in every single Star Wars production (yes, even the campy Holiday Special from the 1970s). Teamwork makes the difference between success or failure. Think of all of the characters who joined forces to collectively achieve something remarkable: Luke and Han, the Mandalorian and Grogu, Cassian and Jyn — and the list goes on.
Organizations should embrace that cybersecurity is about teamwork, and not just technology. Obviously, the right tools, platforms, and systems are important. But even more important is great teamwork, and the ability for people with different knowledge and experience levels to effectively and respectfully communicate, and never lose sight of what really matters: reducing risks, blocking threats, and keeping the organization both secure and productive. As the Mandalorians say: THIS IS THE WAY!
Feel the Force
Do you agree with these cybersecurity lessons from Star Wars? Which lesson(s) do you think are the most important? And are there any other lessons that you think should be part of the conversation? Please Feel the Force and comment below.
