When it comes to IT security, why is the poor user seen as the weakest link? Why did 50 million of us click on “I love you” in August 2000 when we should have been focusing on our work? Why is it that every day some hapless and overworked finance manager blithely sends their company’s money to a complete stranger in response to an email that clearly was not written by their boss?
One reason might be that we have accidentally employed really stupid people, in the way that my wife often feels about being married to her husband. More sensible reasons were presented by Hiwot Mendahun, a manager at cloud security company Mimecast, at the recent IPExpo in London. She set out three reasons why people do apparently stupid things.
Three reasons why people do ‘stupid’ things
The first reason is overload. In 2017 we sent some 26 billion emails, so there are lots of them. Secondly, people implicitly trust the emails they see in their inbox, so there isn’t enough scepticism. Thirdly, it is easy for a fraudster to impersonate a trusted sender. There you have the ingredients to transform an otherwise competent and intelligent employee into the weakest link in your IT security.
The challenge, then, is to turn that same person into your last line of defence, after a security threat has got through all your email filters and arrived in their inbox. Mendahun identified three factors that could apply to your staff:
1. Awareness – they aren’t even thinking about IT security.
2. Knowledge – they don’t understand the threats.
3. Attitude – they don’t care or they are “too busy”.
The key to the first two factors is education. Once you have done the HR legwork with company policies and people have signed up them, frequent reminders and refreshers will help to maintain awareness. Simulated phishing attacks are also a good way to catch the unwary and guide them safely to additional learning materials.
That leaves just the third factor, attitude. Attitudes are famously hard to change, and if you do get to that point, maybe you have hired the wrong person…
If you would like to turn your weakest links into your last line of defence, Riverbank would be delighted to help. Call us on 01235 426700 or email firstname.lastname@example.org.
Alternatively, complete the form below.