When someone starts a sentence by saying, “I don’t mean to offend but….” you know that they’re going to say something offensive. So you put your guard up.
That’s got no relevance to what I’m about to say, because I’ve not got a fully formed opinion that I wish to share. Rather it’s more of a question that would be useful considering.
I am in agreement, that within any organisation, humans are a link within the security chain that must be secured like all the other links.
Note, I did not say they were a weak link. Merely a link.
But often, security people find ways to pass the blame onto our end users. In some cases this is justified; but not all the time. And because of this, I feel it’s come to be one of the biggest cop-outs in the field of information security.
– A virus enters the network because a stupid user opened an email attachment
– An intruder gains access to the office because an ignorant user held the door open for them.
– Sensitive information was exposed because that stupid guy in finance was too busy trying to chat to that girl in the bar instead of watching his laptop.
These are all common examples of the types of things that are branded around, and we feel content in ourselves to lay the blame on users, get a bigger awareness budget for the year and sleep well at night.
But what if we look at these the other way.
– A virus enters the network because the email ‘appeared’ as if it originated from an internal server, even though it was sent externally. Did you have any mechanism in place to stop this from occurring? Or did you have any internal controls that would prevent the user from opening a file containing a malicious payload?
– A door was held open for the intruder because the intruder was in a wheelchair and the building doesn’t provide good access to wheelchair users? Or there aren’t any man-traps built into your entry systems.
– Sensitive information was exposed because you didn’t maintain an up to date asset inventory of all your laptops and ensured they were all encrypted.
I’m not saying that users are or aren’t to blame for security lapses. I just think the security puzzle is not 2 dimensional. There are many aspects to consider. Is it a cop-out for us to just blame the user?