Knowledge Base

End-Users & IT Security – the Weakest Link

October 18th, 2017

When thinking about end-users and IT Security two related things leap to mind; the first is an early 2000s gameshow, the second an adage about chain strength. Both serve to say the same thing, when it comes to network security, your end-users ARE your weakest link.

Regardless of the amount of money spent on firewalls, intrusion detection, log management, compliance, and network vulnerability testing, security surveys are unanimous that end-user actions are directly responsible for more than 80% of global security breaches. Whether direct or indirect, intentional or accidental, end-users are reliable only in that they expose their employers to massive security risks. Because of this, diligence is required in making sure your users understand the corporate risks inherent to a data breach, and what they as individuals and as a collective can do to prevent such unauthorized access.

End-user focused security services have become of paramount concern in the age of the cloud and remote-worker, there are simply too many paths open for an industrious hacker to exploit. Computer Integrated Services works with clients to help identify the key users and topics of concern, then conducts end-user security seminars, focused on education and awareness of best practices for security.

“But a lot of my users are Millennials, they were born online, they know this stuff”

While that may be true of an increasing number of companies, the truth is that a large portion of the workforce is still comprised of the opposite end of the user spectrum, aging users who are not generally inclined to keep up with changes in technology. And, often, these are your power users, key executives with the most access and the most privileged information.

The first step CIS’ elite Network Security Team recommends is to conduct end-user testing from several vectors. It is critical to identify potentially troublesome users in your environment. This identification allows CIS and our client’s IT staff to provide guidance to specific users, as well as attempt to establish technology barriers to help protect them.

Testing also serves as a guideline for focusing the development of CIS’ Security Seminar program, a customized end-user focused presentation, or series of presentations, from CIS’ Chief Information Security Officer. Training seminars are conducted in groups of users, typically coordinated by need and level of capability, to allow for focused learning, as well as efficient use of time.

Seminar material varies from client to client, depending on the needs of each specific user base, as well as the continual emergence of new network security threats. Seminars are typically best when they are engaging and interactive, so CIS always encourages questions within the covered topics. Follow-up materials such as best-practices reminders, written tests to review and reinforce the subject matter covered, and follow-up one-on-one sessions are also typically provided on an as-needed basis.

Topics covered will typically include:

  • Best Practices for Password Management
  • Best Practices for Web Browsing and Applications
  • Best Practices for Mobile Devices / BYOD
  • What is Malware, Adware, Ransomware, etc. and How to Not Infect Your Company
  • Social Engineering – Targeted Awareness: Phishing, Spear-Phishing, Shoulder-Surfing, Dumpster Diving, etc.
  • Cloud Storage and Access – Best Security Practices for the Public Cloud
  • Remote Access and Connectivity
  • Encryption, Data Security, Data Destruction, and Compliance (Internal and/or Various Regulatory)

Regularly covering these topics, and more, and staying diligent about end-user education is the only path toward real security. Users are notoriously demanding of any IT Staff, it’s time to be demanding back; IT Security should be every employee’s concern.

For further details, or to schedule a CIS Security Seminar, please contact us today.