It's common among cybersecurity professionals to point to the end user as a top area of risk in securing the organization. This is understandable. Systems and software are under our control, but users are unpredictable, that unruly variable that expands our threat surface to each geographically dispersed user, personal device, and all-too-human foibles and flaws.
Certainly, threat actors target our users quite successfully — I'm not here to dismiss this obvious truth. But what is equally certain is this: We cannot train our way out of this problem. Enterprises pour significant investments into user security-awareness training, and still, they suffer embarrassing, costly breaches. So, focusing primarily on securing the end user isn't a sound strategy.
Secure Systems With New Strategy in Mind
Fact: your users are a major risk factor. According to Verizon's "2022 Data Breach and Investigations Report," 35% of ransomware infections began with a phishing email. Fact: This is despite escalating investments in security-awareness training over many years. The cybersecurity awareness training market is projected to grow from $1,854.9 million in 2022 to $12,140 million by 2027. Fact: Even with all these investments, ransomware (just as one attack type) is also expected to grow aggressively, despite many organizational efforts, including training.
Sad, unavoidable fact: Our users are still going to make mistakes — we're all human, after all. A survey conducted to prove the need for more security training, in my view, proved its inability to stop the cyber crisis: Four out of five surveyed had received security awareness training; between 26% and 44% (based on age demographic) continued to click on links and attachments from unknown senders anyway.
Don't Just Count on Securing the User
We should conclude that organizational security must not rely heavily on securing the user, that they will be compromised, and then begin securing systems with this assumption in mind. Thus, even if an end user is breached, the amount of systemic damage that's done by that compromise shouldn't be large if proper security measures are employed and orchestrated correctly.
Should we be training our end users? Absolutely, emphatically, yes. Strong security requires a layered approach, and that means buttressing your security by securing every doorway to your systems. But we must start removing end-user risk from the equation. This requires some difficult choices and significant leadership buy-in to these choices.
How Can We Disarm Users as a Top Risk?
Organizations must better block access and orchestrate security controls. Systems are too open by default; we must make them closed by default, evaluate each for risk, and then open access by exception and with full intentionality. Users can't click or open what they can't access, and in the organizations we assess or remediate post-breach, we see employees and systems having far greater access than necessary in the course of work. Companies should layer on stronger security orchestration across their people, process, and technology so that, should a threat actor gain access through an improper click anyway, there are controls designed to stop their lateral movement and harvesting/escalation of credentials.
Organizations can take proactive measures to reduce user risk, including: blocking access to personal email accounts; filtering HTTPS traffic with deep-packet inspection; blocking Internet access to nonuser subnets/VLANs by default; requiring all user traffic to be inspected and filtered all the time — no matter the endpoint; disallowing all but IT-approved file-sharing systems and password vaults; and enabling security features in tools such as firewalls and endpoint detection and response (EDR).
Why Isn't This Being Done Already? The Barriers
Blocking access to personal sites and platforms and slower systems access incurred by filtering/inspection can cause a degree of user and leader dissatisfaction. Some of the tools needed are also costly.
IT needs a stronger voice, expressing problems, solutions, risks, and results of failure in terms leaders can both hear and understand, so that proper controls and associated costs can be allocated. Users can then be educated from the top down on why these controls are necessary; thus, security awareness education can shift from "don't click and here's why" to include "We block most things by default, and here's why." Leaders that still choose not to make more aggressive investments have skin in the game on the level of risk they're choosing to accept for the organization.
Often, IT teams are also short on staff or expertise: they can't mitigate risks they can't see; educate on threats they don't know; or enable tools on which they are untrained. Teams without this visibility should consider in-depth assessments of controls, configurations, and orchestration from qualified experts.
One thing is certain: No matter how much training we provide, users will always be fallible. It's essential to minimize users' options to click in the first place, and then ensure that, when they do, there are controls in place to disrupt the progression of the attack.