Your PC is locked down with a strong, complex password when not in use, and your mobile devices are secured with a passcode. You have a cross-device security tool in place on your PCs and mobile devices to block unwanted traffic, prevent compromise from malware attacks, and protect your sensitive data. Even with the best of the best security measures in place, though, theres still an Achilles heel that trumps it allyou.
Think of it like your house. You can have bars on the windows, and industrial-strength
deadbolts on solid steel doors. You can have surveillance cameras, an alarm system, and a bomb proof panic room. But, if a guy dressed like a cable repairman knocks on the door claiming that hes working on an issue affecting your neighborhood, and you open the door and let him in, its all for nothing.
That is more or less how youand people in generalare the weakest link when it comes to digital security. The tools you have in place can guard against known threats and can even identify and block suspicious activity from many unknown threats. But if you click on a malicious link in a phishing scam email, your security tools are more likely to view the activity as legitimate because you initiated it. If you open an attachment from an email that claims to be from the IRS or UPS, and fill in sensitive, personal information as requested, theres little your security tools can do to protect you.
A recent article in the Washington Post talks about companies training users on computer and information security. The idea is that users who are more aware of the threats, and how to recognize them are less likely to fall victim. The premise seems logical enough, but its not new. Companies have been conducting security awareness training for more than a decade, and yet many of the most successful attacks in recent years can be traced to individual users letting their guard down and opening the door for attackers.
There is a part of the Washington Post article, though, that sounds like a good idea and seems like it would be more effective at raising awareness. Northrop Grummana major defense contractorconducts mock attacks against users. Northrop Grumman sends phishing attacks to its own users that appear to come from unknown third-party sources. If they fall for it, theyre directed to a website that lets them know theyve made a mistake, and offers additional lessons for how to avoid such attacks in the future.
Most users dont pay attention to security awareness presentations, or blindly click through online security awareness training tools just to complete them and check off a box for another year. A real world exercise that catches someone actually falling for an attack is a much more effective way of overcoming the it wont happen to me hubris, and driving the point home.
A similar training tool would be nice for consumers as well. Banks, major retailers, and other businesses that are frequently targeted inor used as bait forphishing attacks should conduct similar exercises with well-crafted fake emails to help users get the point.
Users will probably always be the weakest link in security. Whether its human error that leaves a door open, or the gullibility of human nature that leads a user to open the door for a friendly stranger. Maybe new user awareness training with more shock value can help minimize the risk.