Stop Blaming the End User for Security Risk:
It's common among cybersecurity professionals to point to the end user as a top area of risk in securing the organization. This is understandable. Systems and software are under our control, but users are unpredictable, that unruly variable that expands our threat surface to each geographically dispersed user, personal device, and all-too-human foibles and flaws.
Certainly, threat actors target our users quite successfully — I'm not here to dismiss this obvious truth. But what is equally certain is this:We cannot train our way out of this problem. Enterprises pour significant investments into user security-awareness training, and still, they suffer embarrassing, costly breaches. So, focusing primarily on securing the end user isn't a sound strategy.
Fact: your users are a major risk factor. According to Verizon's "2022 Data Breach and Investigations Report," 35% of ransomware infections began with a phishing email. Fact: This is despite escalating investments in security-awareness training over many years. The cybersecurity awareness training market is projected to grow from $1,854.9 million in 2022 to $12,140 million by 2027. Fact: Even with all these investments, ransomware (just as one attack type) is also expected to grow aggressively, despite many organizational efforts, including training.
Sad, unavoidable fact: Our users are still going to make mistakes — we're all human, after all. A survey conducted to prove the need for more security training, in my view, proved its inability to stop the cyber crisis: Four out of five surveyed had received security awareness training; between 26% and 44% (based on age demographic) continued to click on links and attachments from unknown senders anyway.
We should conclude that organizational security must not rely heavily on securing the user, that they will be compromised, and then begin securing systems with this assumption in mind. Thus, even if an end user is breached, the amount of systemic damage that's done by that compromise shouldn't be large if proper security measures are employed and orchestrated correctly.
Should we be training our end users? Absolutely, emphatically, yes. Strong security requires a layered approach, and that means buttressing your security by securing every doorway to your systems. But we must start removing end-user risk from the equation. This requires some difficult choices and significant leadership buy-in to these choices.
[...] One thing is certain: No matter how much training we provide, users will always be fallible. It's essential to minimize users' options to click in the first place, and then ensure that, when they do, there are controls in place to disrupt the progression of the attack.
(Score: 4, Insightful) by jb on Friday March 31, @05:41AM (1 child)
Question: how many of those organisations were forcing their staff to use the world's least secure mail client? You know, the one that (leaving aside all of its many more technical defects, just looking at its UI defects for the time being) goes out of its way to present mail to recipients in such a way as to make it ridiculously easy for attackers to make a bogus message look like a legit one...
Yes, users need to be vigilant. But they also need to be given the right tools for the job. If an employer wants to reduce the incidence of staff getting scammed by email, then "LookOut!" (or its even less usable web-based counterpart) is absolutely the wrong tool with which to be reading email.
(Score: 0) by Anonymous Coward on Friday March 31, @05:57AM
Their quarantine stuff is terrible too - it lets phishing crap through but blocks emails that are clearly part of existing email conversations (you don't even need a retarded AI to figure out whether an email is part of an existing conversation and from already known senders).
(Score: 2) by canopic jug on Friday March 31, @05:51AM
What is that, a trap? The link tries to pull in javascripts from at least 10 domains on the first pass. Turning on javascripts for the hosting domain doesn't cause the text to render. Hard pass on turning on more. There's no telling what they will be doing and are completely unnecessary anyway if the goal is to show text. If the goal is something else then I want no part of it.
Is there an alternative link for the same material? It is important that people stop blaming the victims for m$ shortcomings. The end users are, after all, only using the computer as advertised: clicking on links, trading documents, and reading e-mail with maybe the occasional text or voice chat thrown in. If a product line is unfit for purpose, we need to bring that fact back into public awareness and get those products off the market and kill that company off with heavy fines and jail for the execs.
