In our last post, we discussed social engineering and the risk that end-users (or human error) can bring to a secure network. Specifically, social engineering—where hackers target human response rather than breaking into the network themselves, which places more pressure or risk on the end-users themselves.
Are users to blame?
Last year, the Office 365 team shared a post around how even the most sophisticated computer security in the world can’t always protect you. Social engineering hackers hide in plain sight – posing as individuals that you would normally interact with. As social engineering continues to manipulate unsuspecting employees, familiarization with these techniques can help prepare your end-users to better protect your network. Security training should also not just be a one-time thing. Frequent training keeps security top of mind and helps employees understand their responsibility for protecting their own (and the organization’s) data, as best they can.
In contrast, awareness may not be the issue. A recent study found that 53% of millennials and 37% of GenXers (1965-1980), and about 30% of Baby Boomers find securing accounts, not reusing passwords and sharing highly sensitive information online “too inconvenient” or they “just don’t care.” This presents a challenge for IT departments as they face users who simply don’t understand, or don’t care about, the risks of certain behaviors.
But is user-blaming fair?
While employees are accountable for taking some precautions in protecting your network – are they responsible for clicking on a malicious link in an email? As one Forrester analyst shared, “I have yet to meet a single user that clicked a malicious link intentionally.” Social engineering is created to manipulate and trick end users into thinking their actions are typical. Even with end-user training, it is risky (and unfair) to place exclusive responsibility on end-users as a safety net. Some indicate that placing blame on humans is the incorrect approach. As the number of threats increases and hackers get more creative, removing the human element may prove more effective.
So, what’s the verdict?
A truly secure network involves informed end-users, secure technology, and compliant policies and processes. Creating a secure culture in the workplace means that employees understand the importance of smart behavior around device protection and that IT has taken preventative steps for detecting external threats. Rather than seeing end-users as the weakest link, an effective IT security strategy should enable end-users with awareness of potential pitfalls, while your enterprise security solution should automate threat detection and remove the human element where possible.