Why End Users Are The Biggest Risk – Part 1

With technology continuing to be our main form of everything in life, cybersecurity has become a hot topic for individuals, businesses, and organizations. External threats such as hackers, bad actors and malicious code typically get attention one often overlooked risk comes from within: the end user. Typically end users, despite their own good intentions, are a significant vulnerability. In this multiple series blog post, we will explore the reasons why end users can pose a risk to cybersecurity and discuss how one can help mitigate these threats.

Lack of Awareness and Training
In my opinion, one of the biggest reasons why end users are the number one risk to cybersecurity is their lack of security awareness training. Let’s put ourselves in the shoes of the typical end user. The typical end user is not a cybersecurity expert nor do they keep up to date with trends. They often lack the knowledge and skills to identify potential threats or follow best practices. If we let them they would make their passwords password1234 or the REALLY secure password12345. They also may inadvertently click on suspicious links, open malicious blatant attachments, or fall victim to phishing scams, providing an entry point for bad actors.

How can we fix this problem?
As someone that has been in the industry for 15 years this is not something that can be immediately fixed overnight. Some organizations have a 1 strike and your out. Mixing fear into the equation will just result in everyone being too careful and never opening emails or asking a question anytime an unexpected email comes through. If you have a limited staffed information security team they will be bombarded with questions. On the other hand, some organizations just want to make security a checkmark for audits. If you have no repercussions for clicking a phishing email for instance then you will have users doing the opposite. Clicking everything! A well thought out cybersecurity awareness training program can give end users the knowledge and skills to identify and respond to potential threats effectively. Ensure it is not just a 15 minute walkthrough to meet a checkmark for regulatory compliance. Don’t re-use the same action items every single year. Change the content up and make it relevant to the year you are in. Quarterly phishing tests should be included with a not to obvious email going to users. Sending specific groups different phish tests to keep everyone guessing.

In the next post we will talk about Human Error and Insider threats in relation to end users! Stay safe out there!

Leave a Comment

Your email address will not be published. Required fields are marked *