Security experts and vendor execs are fond of saying that users are always the weak point in any security system. They open malicious emails, visit sketchy Web sites and write down their passwords on sticky notes. And, if you listen to the analysts speaking at the Gartner Security Summit this week in Washington, there’s little chance that set of circumstances is going to get better in the next few years. In fact, it may get worse, as attackers become more adept at finding the gullible souls willing to click on a link promising them pictures of Angelina Jolie.
“Attacks are searching out stupid users, not unpatched machines. Antivirus isn’t helping, because these are targeted attacks and IPS isn’t helping because there’s no signature for it,” said Gartner analyst John Pescatore. “Think about how little progress we’ve made on the arbitrary malware problem in the last 15 years. We’ve made almost no progress. If you don’t have a signature, it gets through to the user. And the user is going to open it.”
That’s all true, of course. Users make bad choices and they’ll continue to do so. But to me, that’s not a technology problem, it’s a people problem. It’s a matter of giving users better information, helping them understand the consequences of their actions and explaining how to avoid malicious content. In today’s environment, there’s no excuse for not having at least a basic security awareness course for every user in your organization who touches a PC. It should be table stakes, but for whatever reason, it’s not. Whether it’s laziness or ignorance or just apathy, many enterprises still don’t give their employees any kind of information on security. If the parade of stolen laptops and lost data tapes doesn’t drive home the importance of this issue, it’s hard to say what will. But right now, the attackers are thanking you for every extra day they get to target untrained employees.