Your PC is locked down with a strong, complex password when not in use, and your mobile devices are secured with a passcode. You have a cross-device security tool in place on your PCs and mobile devices to block unwanted traffic, prevent compromise from malware attacks, and protect your sensitive data. Even with the best of the best security measures in place, though, there’s still an Achilles heel that trumps it all—you.
Think of it like your house. You can have bars on the windows, and industrial-strength
deadbolts on solid steel doors. You can have surveillance cameras, an alarm system, and a bomb proof panic room. But, if a guy dressed like a cable repairman knocks on the door claiming that he’s working on an issue affecting your neighborhood, and you open the door and let him in, it’s all for nothing.
That is more or less how you—and people in general—are the weakest link when it comes to digital security. The tools you have in place can guard against known threats and can even identify and block suspicious activity from many unknown threats. But if you click on a malicious link in a phishing scam email, your security tools are more likely to view the activity as legitimate because you initiated it. If you open an attachment from an email that claims to be from the IRS or UPS, and fill in sensitive, personal information as requested, there’s little your security tools can do to protect you.
A recent article in the Washington Post talks about companies training users on computer and information security. The idea is that users who are more aware of the threats, and how to recognize them are less likely to fall victim. The premise seems logical enough, but it’s not new. Companies have been conducting security awareness training for more than a decade, and yet many of the most successful attacks in recent years can be traced to individual users letting their guard down and opening the door for attackers.
There is a part of the Washington Post article, though, that sounds like a good idea and seems like it would be more effective at raising awareness. Northrop Grumman—a major defense contractor—conducts mock attacks against users. Northrop Grumman sends phishing attacks to its own users that appear to come from unknown third-party sources. If they fall for it, they’re directed to a website that lets them know they’ve made a mistake, and offers additional lessons for how to avoid such attacks in the future.
Most users don’t pay attention to security awareness presentations, or blindly click through online security awareness training tools just to “complete” them and check off a box for another year. A real world exercise that catches someone actually falling for an attack is a much more effective way of overcoming the “it won’t happen to me” hubris, and driving the point home.
A similar training tool would be nice for consumers as well. Banks, major retailers, and other businesses that are frequently targeted in—or used as bait for—phishing attacks should conduct similar exercises with well-crafted fake emails to help users get the point.
Users will probably always be the weakest link in security. Whether it’s human error that leaves a door open, or the gullibility of human nature that leads a user to open the door for a friendly stranger. Maybe new user awareness training with more “shock value” can help minimize the risk.