It seems security breaches tend to be blamed on people more than technology –54% to 46%, in fact, according to CompTIA’s Tenth Annual Information Security Trends. Factors such as human error tend to beat out computer issues. They’re not talking about bad actors, either; it’s “lack of knowledge, expertise, and discipline,” according to the report.
Before I go any further, I want to acknowledge that all security issues are due to human error. If a piece of software has a bug, it may be to a programmer making a mistake, a code checker missing that mistake, or even a design flaw or omission. In all cases it was the act of a human that caused the flaw. You know this and I know this. But that’s not what we’re talking about. We’re talking about end users or technologists close to the end user making errors.
I believe that people will generally do the right thing if they know what the right thing is and the right thing isn’t too difficult. People will generally choose tolerable passwords if you tell them what rules to follow and you make those rules reasonable. Requiring a 24 character random password with a mixture of upper and lower case letters, digits and special characters isn’t reasonable if they can’t use a password generator and a tool to save the password. A twelve digit phone PIN is probably too much to ask, too.
Knowing the right thing to do is really a matter of awareness. I’m surprised I haven’t talked about this before. One of the goals of Learning Tree Course 468, System and Network Security is to help the participants make others in their organizations aware of the issues. We sure can’t cover all the threats because there are so many, but we work to make participants aware of the types of things bad guys do and how to deal with them. Our main goal is to get people to begin to think critically about security.
When I say “think critically” I’m not talking about being paranoid! I use the web for a lot of shopping, for instance. I know the risks and I try to minimize them. I use difficult passwords, and I change them periodically, for instance. Some of the questions we want people to ask are “What could a bad guy do with this information?”, “How could this be exploited?”, and “How can I make it harder for others to make dangerous mistakes?”.
Every organization needs to find a way to make people more aware of the issues of security. People need to know not to click on links in emails unless they absolutely trust the link, they need to avoid picking up flash drives in the parking lot and “seeing what’s on them” on company PCs, and so on. How are you making your end users aware or how is your security team doing it? Let us know in the comments below.