The user is the weakest link. Long live the user.
All of us involved in the information security domain knows that the end-user is the weakest link of the security framework. Empirical study and anecdotal experience back this up. The bad guys know this and exploit it to maximum benefit. The 2019 Verizon Database Breach report details that 94% of all cyber breaches start with an email. Yet as security professionals, we also realize that it isn’t fair and bad form to blame the end-user. Particularly if they haven’t been properly trained.
Of course, it is easy to blame the user. Oh, how easy it is. Who clicked the link, answered the phone, or fell for the ridiculous story and sent the wire transfer. And they have received training. Well, at least a 15-minute lecture or a 3-minute video.
But were they really paying attention? Maybe it is the fault of the infosec professional? The user is busy doing THEIR job. Being an administrative assistant, being an account, being a payroll administrator…making sure you get paid! Maybe it is the information security professional that isn’t doing THEIR job?
Oh damn, another email from IT. Oh damn, I have to watch another security training video. Luckily, I have my cell phone and I can play candy crush while this video plays. Oh, there are some stupid questions at the end? No problem, I get to take the test until I get them correct and I just learn from the ones I got wrong.
Maybe as infosec professionals, we should end this. Maybe we should be creating personal training experiences. That commands the attention of the user and delivers the message. Why are we taking the easy way out with videos and interactive games that no one pays attention to?
I’m not saying that those videos and other training media don’t have a place. Some are excellent and provide a valuable reminder to the user. But you can’t replace a thoughtful, well-designed message…delivered in person. By an engaging and energetic trainer. And throw in some food and drink too. Coffee and pastries for a morning session or subs and soda for a lunch session. Make it something the user wants to attend!
But, but, that cost money says the mid-level manager. Ah well, how much is that data breach going to cost? How much does an incident response firm charge to come in and clean up your network? How much is the wire transfers to a Chinese bank going to put you out?
Maybe the user isn’t the weakest link after all.