News Stay informed about the latest enterprise technology news and product updates.

Users may be the weakest link, but it’s not their fault

Security experts and vendor execs are fond of saying that users are always the weak point in any security system. They open malicious emails, visit sketchy Web sites and write down their passwords on sticky notes. And, if you listen to the analysts speaking at the Gartner Security Summit this week in Washington, there’s little chance that set of circumstances is going to get better in the next few years. In fact, it may get worse, as attackers become more adept at finding the gullible souls willing to click on a link promising them pictures of Angelina Jolie.

“Attacks are searching out stupid users, not unpatched machines. Antivirus isn’t helping, because these are targeted attacks and IPS isn’t helping because there’s no signature for it,” said Gartner analyst John Pescatore. “Think about how little progress we’ve made on the arbitrary malware problem in the last 15 years. We’ve made almost no progress. If you don’t have a signature, it gets through to the user. And the user is going to open it.”

That’s all true, of course. Users make bad choices and they’ll continue to do so. But to me, that’s not a technology problem, it’s a people problem. It’s a matter of giving users better information, helping them understand the consequences of their actions and explaining how to avoid malicious content. In today’s environment, there’s no excuse for not having at least a basic security awareness course for every user in your organization who touches a PC. It should be table stakes, but for whatever reason, it’s not. Whether it’s laziness or ignorance or just apathy, many enterprises still don’t give their employees any kind of information on security. If the parade of stolen laptops and lost data tapes doesn’t drive home the importance of this issue, it’s hard to say what will. But right now, the attackers are thanking you for every extra day they get to target untrained employees.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I think this problem will always exist. Unless an organization changes the corporate culture. Has any tried to sit down with executives to teach them about secruity? They just dont care. I think when an organization has programs for new hirres, and strict security awarness programs, that are mandotory. Then you may start to see results. Futhermore, you need accountability. Without it security is useless
The lack of awareness is compounded by the use of a platform that often has ordinary users surfing the web using a login with administrative rights. This isn't entirely the fault of the administrators of their workstations. There is a lot of Windows software out there that breaks if you lock down the user's account. I've seen serious attempts at building a secure, unprivileged desktop build get stalled over this issue.