Users Are The Weakest Link.

i’m fucking kidding. obviously.

I would never say this. Except in jest. But why is it that as an industry, we’re so obsessed with this trope?! We wheel it out every time there’s a cyber attack. A “sophisticated” cyber attack. You know, the ones where someone got phished and it brought the whole business to a standstill for ten days (cough MGM cough).

I think it’s time we took a long hard look at ourselves as an industry if we’re blaming users for the business-wide impact of a phishing attack. Like, what the hell are we doing all day if it’s so bloody simple?!

except, it’s not that simple, is it?!

The phishing attack itself isn’t actually the thing that’s brought the business to a standstill. The subsequent actions, where the attacker could get through the network, could encrypt or exfiltrate our data, close down critical infrastructure, and elevate their privileges to admin status is what the real problem is. And yet we’re still blaming the end user for that?

Grow up.

End users are a nightmare. I get it. I’ve heard stories of people being literally shown phishing emails in their inbox, deleting them in the presence of an infosec professional and then going back to recover said email so they could click on the link “to see what happens”. I mean that kind of shit, you can’t really write, right?

the human element.

But if we’ve got a weak point in our infrastructure, shouldn’t we be looking to protect that, rather than point fingers? Is it because it’s a human element that we’re ok with taking this frankly blasé approach to security?

Because if it was a firewall or an application that was riddled with vulnerabilities, I’m pretty sure we wouldn’t be sat shrugging, wheeling out “well we all know web applications are the weakest link, I guess we’re just fucked as a business”. Would we?

And let’s not forget that we are end users too. In fact, IT teams are more highly prized targets for attackers than poor Barbara on reception. And why? Well, we have access to everything for a start. And if our accounts are compromised they can cause a lot more damage. So if our attitude is that end users are the weakest link, are we including ourselves in that?!

engagement is key.

So what do we do about end users being the ‘weakest link’? Well, from discussions with many, many organisations… it doesn’t look like we do much above and beyond ticking compliance boxes for end user training so we can get cyber insurance. Sad, right?

I asked this question at our relaunch event back in October and I’d like to pose the same to you. As an infosec or IT professional, have you ever done cyber security training? Hopefully, you’re saying yes. So if you have done that training, did you hit play on the video, walk off to make a brew and come back hoping it’d finished? Or alternatively sit hitting fast forward as quick as possible to skip through the ‘boring’ shit?

I know you’re nodding along. Because we all do it. And it’s not really fair, is it? If we’re not engaging in our own specialist subject, how the fuck do we expect our sales teams, our HR teams, our marketing teams, our executive boards to engage with it?

adequate armour.

We’re sat saying users are the weakest part of our defences and giving them the flimsiest armour. Bargain basement shit. Security sponsored by Primark. But we want them to defend our enterprises with their lives. Well livelihoods anyway.

I’m not saying I have all the answers here. But I just don’t see how an annual training course delivered by dull Dave and his Powerpoint parade is going to be the thing that switches your users on to engaging with security.

There are a few things I’m working on at the moment that could help. And I’d love to discuss them with you (seriously, drop me a DM) because I really think we could start making a difference if we take a different approach. We can’t keep doing the same thing over and over again and expecting different results. That’s the definition of madness, right?

Let’s find ways to engage our teams, to excite them about security, to make them think about it in new ways. Escape rooms can definitely be a piece of that puzzle. As can continuous learning in the workflow. Learning on the job. Interactivity is key. Passive learning doesn’t stick.

let’s switch it up.