People are the problem
Firewalls, anti-virus, anti-malware, dual factor authentication… All of these will improve security, but what to do about the weakest link in the security chain - people.
One of the most persistent messages from security experts is that any security infrastructure is only as good as its weakest link, and that is almost always the end user. With consumerisation of IT and bring your own device (BYOD), the end user has even more potential to cause security breaches, and as a recent survey by Sophos highlighted, 96% of IT professionals do not trust their end users to make sound IT security decisions.
But the survey showed that they had their reasons: 48% of respondents said that they fix security issues caused by end user negligence at least once a week. So what are end users most guilty of doing?
“Not complying with security policies,” says Tamer Aboualy, CTO, security services, IBM Middle East and Africa.
“Some easy examples include unauthorised installation of software, configurations and use (i.e. putting corporate information on social media and letting family members use their own devices), not complying with software updates and software patching, being fooled by phishing exploits and sharing passwords,” he adds.
Essam Ahmed, regional pre-sales manager for McAfee agrees: “Some common mistakes that can lead to very risky security violation and identity theft are clicking on offers that appear too good to be true, and re-pinning them so they are propagated further. Users should never click on a link in a spam email or IM from someone they don’t know, and they also need more awareness to check URLs before clicking on them, to see that the address is going to a well-established site. If it is a shortened URL, use a URL preview tool to make sure it is safe to click on.”
Education is key to keeping these risks to a minimum, but with so many threats out there, what are the teaching tactics CIOs should be using?
“End users need to be taken through the most common ways for threat actors to target them. This includes teaching people what counts as sensitive data that needs to be protected, acceptable usage policies, security policies and how to identify and avoid threats. It’s about creating best practice among end users,” highlights Don Smith, director of Technology, Dell SecureWorks.
“Securing Internet and email usage,” continues Haritha Ramachandran, programme manager, ICT practice, Frost and Sullivan Middle East and North Africa. “End users should be educated on how to keep one’s account secure, risks of identity theft and how to redress the situation if they find themselves with a hacked account.”
Experts say that educating end users is key to avoiding security threats, but what practical tactics can the CIO use to deliver that education and make it stick?
Continuous end user education is key to reducing security risks. Not everything can be covered in one session, plus it’s important to keep reminding the end users of the risks and their role in keeping them to a minimum.
“Trying to do everything at once is a common mistake,” says Bulent Teksoz, chief security strategist, emerging regions, Symantec. “Just like any project, user education on security must be well planned. The content is extremely important, as is the way it is delivered. It must be relevant to the overall business and the business function the users are in.”
It is recommended that courses are held at regular six month intervals, but as Matthew Cheung, principal research analyst, Gartner highlights, don’t bombard staff too much or they’ll become immune to the message.