According to a survey released by endpoint security solution vendor Bromium, 79 percent of surveyed information security professionals view end users as their “number 1 security risk.”
What security people need to understand is that the end users are not the problem. The end users are our customers (and one of the main reasons we have jobs). The problem arises from the increasing sophistication of attackers and their tools and ruses. In the olden days (a couple of years ago), we could arm our users with easy ways to recognize and avoid phishing (hover on the link and see if it matches the text) and social engineering (no, the Nigerian prince does not want to give you his money). Since then, the attackers have been getting better and better at their jobs. They send very professional looking email and social media bait which is very hard to distinguish from legitimate emails. They do their homework, mining social media for personal and business information to make their clickbait more convincing. End users receive hundreds of emails every day and they just don’t have the time or expertise to always avoid the bad stuff.
I am still a big proponent of end user education and awareness – it will help users avoid the “low hanging fruit” type of attacks and for some users, it will provide them with clues which can raise their suspicions about more sophisticated attacks. It has a great return on investment for just about every organization.
We have reached an inflection point in the “endpoint wars” – we need to provide users with solutions which are better at spotting and preventing the sophisticated attacks for them. Organizations need to beef up their email security, adding things like pre delivery attachment analysis, real time checking of clicked urls at both the time of message delivery and user action and sandboxing tools (EMET is free and pretty effective).
End users are not stupid. They simply have different priorities than security people and are trying to keep up with an ever expanding flow of information every day. We have to step up our efforts to protect them, not call them a problem. That’s what we get paid for.
Go hug an end user today.