New Strategies - As IT security professionals, we’re great at providing our clients with firewalls, encryption software and other technological safeguards against data breaches.

New Strategies

Tackling the end users’ security vulnerability

  • By Ryan Corey
  • Nov 01, 2015

As IT security professionals, we’re great at providing our clients with firewalls, encryption software and other technological safeguards against data breaches. But, did you know that even your best-protected clients may face an even greater threat than poorly managed networks and systems? So, what exactly is this threat? It’s the end user.

The Growing End User Security Threat

End user security is a huge and growing threat. The term “end user” is defined as any person who uses organizational software or hardware to complete work tasks in any manner that falls outside of the generally accepted range of “Information Technology.”

The end user does not include those who create or edit code, manage/administer the systems or database and perform similar IT functions. In other words, the end user is the “normal” person who uses a system to do their job, long after the system has been installed and configured by IT professionals.

A survey conducted by Bronium, a firm specializing in business security, found that 72 percent of IT security professionals named end users as their biggest security problem. In addition, 80 percent of IT administrators believe that end user carelessness is a bigger threat than malware or hacking.

There are many cases of end user vulnerability. For example, the Damariscotta County Sheriff’s Department in Maine reported that malware was installed on its system when an end user “clicked a link.” Hackers demanded (and received) $300 in bitcoins for confidential records they had stolen from the system and to neutralize the malware. Additionally, hackers targeted selected employees of Fidelity National Financial of Jacksonville, Fla., with a phishing attack to secure their usernames and passwords. Credit card numbers, customer names, account numbers and driver’s license numbers were then obtained by using the pilfered credentials.

Data breaches damage an organization’s reputation, destroy customer trust, and cause deep and sometimes long-term loss of revenues. According to the yearly Data Breach Investigation Report released by Verizon in 2014, 44 million records were compromised in 2012 as the result of 621 confirmed security breaches. Not only has the number of breeches continued to rise since 2012, but so too has the magnitude and publicity of the attacks. To combat attacks from external sources, IT professionals employ a variety of technological safeguards including firewalls, data encryption and two-factor authentication protocols to prevent unauthorized access. However, such defenses are often ineffective again the most common source of breaches—the end user.

How End Users Endanger Systems

Criminals are well aware that end users are the “weak link” in the security chain, and so they frequently target users. Even the best antivirus software or firewall cannot guard against human nature. People are curious, prone to seek the most convenient method of completing a task and frequently inclined to believe that bad things only happen to other people. They often fail to recognize a potential security threat, and even if they are suspicious, they may not know the proper protocol to handle a potential risk.

Weak passwords, mobile devices, and online behavior are just some of the factors that contribute to end users providing attackers with access to an enterprise’s system.

Although debate still rages in the IT world over whether passwords are an outdated form of security, they remain the first line of defense against unauthorized access. Unfortunately, users often establish weak passwords that are easy for others to guess or that can be found by performing secondary research on a target, such as visiting the individual’s social media pages. SplashData compiles an annual list of the worst passwords that have been leaked during the previous year. Each year since 2011, the top two positions on the list have been “123456” and “password.” Other weak passwords include “access,” “LetMeIn,” and “qwerty.” People often choose the name of their favorite team or sport, the name of their child or spouse, company name or a favorite movie.

Second, mobile devices create end user security vulnerabilities. Mobilization has brought many advantages to the business world, but it has also brought security challenges. The use of smartphones, compact portable storage drives, laptops and tablets have been increasing annually. With more companies making the move to the cloud, employees armed with mobile devices can easily work from home, a client’s site or a hotel room. One problem with mobile devices is that they’re mobile, which means they can be easily misplaced, lost or stolen.

A potential hacker with even moderate skills can break a password once the hacker has physical possession of the device. Additionally, it is not uncommon for users to download sensitive files to their mobile devices so that they may complete tasks while out of the office.

Many users are fiercely loyal to a particular operating system or mobile device. They may feel that they are more productive using a Windows-driven laptop, for example, or an Android smartphone, and so they use their own devices rather than secure, business- issued phones and computers. If they download an infected file, such as a video or song from a torrent site, using a personal app, the malware can easily spread to business apps and anything else which connects to the device.

Finally, users frequently expose themselves to exploitation through their online behavior. In many cases, users are simply not educated in security, common threats or best practices.

One of the most common ways for hackers to install malware is to entice users to click on a link. The link may be included in an email that sounds perfectly legitimate, or the link may be a banner ad or “special offer” that the hacker has placed on a website. Links now very often appear in the form of a well-disguised email from either a friend or trusted source. To make matters worse, when a user mistakenly clicks on a malicious link, they often have emotions of guilt, and they tend to hide or ignore the incident.

The Solution: Culture and Learning

Eliminating the end user threat begins with educating users and making them aware of security issues and best practices for mitigation. They must be prepared to deal with potential breaches when they occur. To significantly improve end user security, organizations must establish a security-based culture, and they must employ a training course with a proven learning model.

So, how do you go about educating your end users and establishing a culture of security? Studies have revealed which end user security awareness learning models work best. Given that end users are often a diverse group of people that are comprised of blends of personality and learning types, conceptual and procedural learning is the most effective technique.

The best end user training includes a format made up of technical narrative delivery to teach the scenarios, technical narrative delivery to teach the responses, and then a visualization mechanism to help the end user visually capture the intended behavior conveyed in the technical data.

The problem, of course, is that enterprise security training is expensive and often cost-prohibitive for many organizations. Many people and companies alike are leveraging the power of Massive Online Open Courses or MOOCs to meet their security training purposes.

The N2grate Story

To show how end user security MOOCs can help with training costs, take a look at N2grate. N2grate is a full service Value Added Reseller that provides comprehensive pre-sales and postsales engineering services to customers in the B2G space. With a staff of approximately 30 employees, N2grate’s engineers develop solutions and determine equipment configurations ensuring interoperable, compatible solutions for their customers.

Under N2grate’s original training model, each week of end user security training cost $2,500 per employee, plus travel expenses, averaging $7,000 to $10,000 per year per employee. N2grate learned about the MOOC, Cybrary, through a local media story, and decided to enroll a few N2grate employees in Cybrary’s CCNA and Network+ classes and the Virtualization Management class, two courses employing our MOOC format.

So far, Cybrary has saved N2grate $7,000-10,000 per employee, and it’s projected that our MOOC will save them $50,000 over the next 12 months. Additionally, N2grate’s employees are able to complete the training course on their own time, which allows them to work on projects simultaneously.

Effective end user security MOOCs cover a variety of topics, but some key ones are password security, the acceptable use of mobile devices for business purposes, how to identify and respond to phishing attacks, and how to avoid “over sharing” potentially sensitive information on social media. MOOCs provide a new, lower cost solution for end user security training.

End users are considered the greatest security risk to most organizations. What steps will you take to mitigate the prime threat that your networks and data protection face?

This article originally appeared in the November 2015 issue of Security Today.

Featured

  • Report Shows Cybercriminals Continue Pivot to Stealthier Tactics

    IBM recently released the 2025 X-Force Threat Intelligence Index highlighting that cybercriminals continued to pivot to stealthier tactics, with lower-profile credential theft spiking, while ransomware attacks on enterprises declined. IBM X-Force observed an 84% increase in emails delivering infostealers in 2024 compared to the prior year, a method threat actors relied heavily on to scale identity attacks. Read Now

  • 2025 Security LeadHER Conference Program Announced

    ASIS International and the Security Industry Association (SIA) – the leading membership associations for the security industry – have announced details for the 2025 Security LeadHER conference, a special event dedicated to advancing, connecting and empowering women in the security profession. The third annual Security LeadHER conference will be held Monday, June 9 – Tuesday, June 10, 2025, at the Detroit Marriott Renaissance Center in Detroit, Michigan. This carefully crafted program represents a comprehensive professional development opportunity for women in security this year. To view the full lineup at this year’s event, please visit securityleadher.org. Read Now

    • Industry Events

  • Report: 82 Percent of Phishing Emails Used AI

    KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management, today launched its Phishing Threat Trend Report, detailing key trends, new data, and threat intelligence insights surrounding phishing threats targeting organizations at the start of 2025. Read Now

  • NRF Supports Federal Bill to Thwart Retail Crime

    The National Retail Federation recently announced its support for the Combating Organized Retail Crime Act of 2025. The act was introduced by Chairman Chuck Grassley, R-Iowa, Senator Catherine Cortez Masto, D-Nev., and Representative Dave Joyce, R-Ohio. Read Now

  • ISC West 2025 Brings Almost 29,000 Industry Professionals to Las Vegas

    ISC West 2025, organized by RX and in collaboration with the Security Industry Association, concluded at the Venetian Expo in Las Vegas last week. The nation’s leading comprehensive and converged security event attracted nearly 29,000 industry professionals and left a lasting impression on the global security community. Over five action-packed days, ISC West welcomed more than 19,000 attendees and featured 750 exhibiting brands. Read Now

    • Industry Events
    • ISC West
Most   Popular

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.