Everyone makes mistakes, that’s right, I said everyone. The most important part of making a mistake is embracing the opportunity to learn from and adapt your behaviors and processes once a mistake is made. User education on computer security is, without any doubt, one of the most (if not #1) difficult and important functions of your IT Security Team. The bottom line is, most users of technology understand that technology is by function only. Meaning, many users are experts at sending emails, using Facebook and social media, or creating and sharing all of those wonderful Microsoft Office documents we all know and love. However, most users are not aware of the dangers of malicious scripts hidden in Office macros or how URLs can be made to look like a known site but actually send users to malicious sites designed to distribute malware and steal information.
But is user-education the solution to preventing data-loss in your organization? I suppose the answer is both “Yes” and “No”. Bruce Schneier (CTO of Resilient Systems) said, “I too have tried educating users, and I agree that it’s largely futile”. Part of the problem with user education is finding a balance of understanding. There are people in your environment that just don’t understand how technology works, and don’t want to. This may be generational or just a learned behavior but it is difficult to overcome. That being said, many of the people in your environment are able to absorb some of the technical knowledge required to use technology as safely as possible. The key is finding a balance between user education and the implementation of technologies that protect the environment in areas where education continues to fail.
In order to find that balance the IT Security Team needs to rely on metrics. Metrics can come from security appliances reporting on incidents or from user surveys and town hall meetings. Keep track of the gaps, the points where both technology and user training seem to be failing, and work together to find a solution. A common gap in many organizations is removable media protection. Not just portable hard drives and flash media but also DVDs and CDs too. Technologies exist to block and monitor these devices. Protect your environment from those promotional CDs that are embedded with rootkits and botnets by not allowing users the opportunity to forget their annual security training. Simply remove the “user choice” variable from the equation.
Of course in many environments the “push back” that comes from taking away functionality can be swift and harsh. Again, this is where the need for balance arises. In order to be profitable in business, there must always be some risk that is simply identified and accepted. The IT Security Team and Executives must work together to identify and mitigate or accept the risks.
So are users the weakest link in the Security chain? There are definitely arguments for both yes and no. User training and education is not going to go away. It is also important that as Security Professionals we make our servers and end-points as secure as possible regardless of who sits in front of them. At Archetype SC our Consultants and Engineers are ready and willing to help your organization design or improve your end-user training program. Let our skilled professionals analyze the gaps in your environment and help you plan for and implement technology and training modules to increase your organizations security posture while allowing the business to function optimally.