‘The weakest link in IT security is always the one between the screen and the backrest of the office chair,’ someone joked in the comments under my previous blog. That blog was about WhatsApp and Signal accounts that had been hacked through their owners. Directly opposed to that is a statement by a former general director of our organization: ‘People are the strongest link in security.’ How do these statements relate to each other?
You
often hear that first quote. It basically means: the computer user falls for it
with eyes wide open because they don’t understand it all. Some even dare to
speak of ‘that dumb end user.’ That, at any rate, is unfair: you simply cannot
expect every employee to thoroughly understand all the ins and outs of
cybercrime and information security or to be constantly alert to suspicious
situations. So stupidity is almost never the issue (I will come back to that
‘almost’).
A chain
consists of multiple links. According to the old saying, the weakest link
determines the strength of the chain as a whole. That saying implies that one
link can be designated as the weakest. But what if another link rusts faster
and overtakes its already weak neighbor? Then suddenly a different link becomes
the weakest. If the chain is then put under tension, it may break in a
completely different place than expected. In short: I don’t believe much in the
weakest-link theory. What I do believe in is a chain that is regularly
maintained. If a weak spot is found, it should be repaired.
The
security chain has two kinds of links: technical and human. I am keeping it
simpler here than other models because this is all I need to make my point.
Ideally, the technology would be able to keep all harm and inconvenience
outside. Our mail filters would recognize all phishing attempts and send spam
flawlessly to the trash. All DDoS attacks would be repelled before they reached
your network. And hackers wouldn’t stand a chance because all break‑in attempts
would be crushed instantly.
We all
know that this isn’t how things work. A hundred percent protection through
technology alone is an illusion. You wouldn’t think so if you walked through a
security expo where vendors promote their hardware and software. They always
seemed to sell perfect security, and with the rise of AI that has only become
‘worse.’ But reality is different: the links in the chain have some rusty spots.
And do you know why that is? Because the links rub against each other. It’s not
like one system protects everything; there is interaction. And things can go
wrong there. In the interaction between technical systems, but also — more
often? — in the interaction between technical and human links. Put simply: if a
system gives an alert but the user dismisses it as irrelevant while something
is really happening, then you have a serious rust spot.
So, are
humans the strongest link? When I first heard that claim, I was surprised,
because the weakest‑link theory was widely accepted then. But I have changed my
mind since. Nowadays, I tell my audiences that they are indeed the strongest
link. The user is my last line of defense — when all technical systems have
failed, the human is the only remaining safeguard. At least, for the kinds of
trouble in which the user plays a role.
Stupidity
is almost never the issue, I wrote. Almost. So does that mean sometimes it is?
Yes. It happens that people have a bad feeling — for example, they don’t trust
a certain email. And then they still click the link or open the attachment.
Just to see what happens. Because they’re curious. Or because they think: well,
this isn’t for real, right? That’s not smart. Just follow the simple rule: when
in doubt, assume it’s malicious.
And in the big bad world…
- See where a successful phishing attack (in this case by phone) can lead.
- A security company has uncovered a network of North Korean infiltrators.
- Hackers also use regular management software.
- You could park for free in Perm thanks to a DDoS attack.
- It’s better not to brag about running on a ship.
- Attacks on iPhones are no longer limited to high-value targets.
- You may be attacked by invisible code.
- Belgian civil servants will now message using Beam. [DUTCH]
No comments:
Post a Comment