User shaming is an age-old technology practice that goes back to the days of the mainframe. It's easy to blame users for mistakes, especially those that cause security incidents.
When it comes to data breaches, there's certainly no shortage of user errors to go around. In its 2019 Data Breach Investigations Report (DBIR), Verizon said that errors were a causal factor in one out of five breaches. Top types of error included sending sensitive information to the wrong person, publishing information that shouldn't be out there, and misconfiguration, allowing unwanted guests to access a system.
Then there are the other common user errors, such as losing sensitive data on portable devices, or falling victim to phishing attacks. Even being duped by business email compromise (BEC) attackers counts as a user error.
We can train users as much as we like, but as any security pro knows, there will always be a subset of people who never get it; or who get it, but who sometimes aren't mindful and forget. Awareness programs and training work, but only up to a point.
What happens when those laggard users make a mistake? We typically blame them, but perhaps we shouldn't.
User motives generally don't align with the security team's agenda. Users want to get the job done as efficiently as possible. Every security measure and warning that stands in their way is an obstacle. Many user-focused security alerts, such as invalid certificate warnings, are often both too technical for them to understand and so ubiquitous that they become blind to them. The warning becomes simply another box to click through.
It's time to understand that people alone won't solve our security problems. By enhancing security on the process and technology side, we can reduce the potential for expensive security errors. So, what does this look like?
We can impose technology to catch user errors in various scenarios. Worried about publishing the wrong data? Configure automated tools that won't publish a database without the correct security settings. Concerned about people taking data out of the office and leaving it somewhere? Impose BitLocker encryption on all removable drives by default using Windows Group Policy settings. Worried about BEC compromise? Use separation of duties, requiring two people to authorize large transactions, and enforce this using identity and access management (IAM) software.
Instead of throwing up security warnings that are irrelevant to users, be more aggressive and take action on their behalf. Don't ask them if they want to visit that website with an invalid certificate. Instead, just block it.
Rather than making them change their password regularly (something that the National Cyber Security Centre now advises against), introduce two-factor authentication, along with system monitoring to spot illegitimate access attempts.
When it comes to phishing, accept that users are sometimes going to click on bad links and use technology that catches that traffic, based on parameters like URL reputation, heuristics and blacklists.
Rather than blaming the user for not jumping through our complex security hoops, perhaps it's time to accept their shortcomings and work around them. After all, wasn't technology built to serve the users, rather than the other way around?
The topic of Governance, Risk and Compliance will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Governance, Risk and Compliance here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
