It turns out that the weakest link when it comes to IT security is usually the people who work inside any given organization. It's not that employees are particularly malevolent, but rather that they are easily exploited.
A new report from The CloudLock CyberLab based on the analysis of 10 million users suggests that one percent of all end users actually account for an astounding 75 percent of the cybersecurity risks attributable to cloud computing. As such, it’s clear that if cloud computing is ever going to be perceived as being secure, more focus needs to be placed on how cloud security training is provided to end users.
Employees pose a potential risk to the business
In general, end users are the weakest IT security link. No amount of investment in firewalls and anti-virus (AV) software can prevent malware from entering an organization when it winds up being downloaded by an end user who has been fooled into clicking on a particular link.
Usually using an attack known as spear phishing, digital criminals have become adept at crafting email messages that look like they were sent by a legitimate source. For example, digital criminals will craft an email message that looks like it came from a school that the child of an employee attends. Once they click on a link in that message, a malware payload enables the digital criminal to exploit the system at will.
While there’s no way to prevent these types of “social engineering” attacks, senior business leaders within many organizations have become painfully aware of the need to increase employee vigilance about IT security. That includes everything from the cloud services they use, to being more circumspect about who is sending them an email message and why.
Increased awareness around cloud security
At the same time, however, it’s now permissible for most organizations to be more aggressive about locking down the desktop computing environment. While once upon a time employees perceived using PCs in the workplace to access consumer email services and other Web sites as something akin to birthright, most of them can now access those services using their own personal mobile computing devices. That doesn’t mean they don’t need to be educated about why they might still be targets of a spear phishing attack, but it does limit the potential for any malware to be distributed across the rest of the organization.
The good news is that thanks to a raft of high-profile breaches, end user awareness of the need to be thoughtful about the applications they use has never been higher, which means most of them are more open to participating in an IT security awareness program.
For IT service providers, the company that provides that IT security awareness more often than not winds up being the trusted advisor for all the security needs of that organization. They also gain invaluable insights into how that organization actually operates, which helps them better secure those processes.
Naturally, there’s a significant amount of engineering work going on across the IT security industry to better isolate end users from potential threats. But in between now and the development of those advanced technologies, greater IT security awareness among end users is now a critical component of the IT security strategy for organizations of all sizes.