The weakest link
Posted : Thursday July 10th, 2008

As they say, a chain is only as long as its weakest link. So how strong is your security chain?

The reality is that the weakest link for most secure systems is not the systems themselves but the users. User education and training form a fundamental part of establishing a truly secure system.

We all know the stories. Users who keep their passwords on sticky notes attached to the monitor. Users who rotate through the same three or four passwords year after year. Users who use obvious passwords.

But there's even more to it. If a person, purporting to be an IT person contacted an employee could they get their username and password from them? Do your employees know how to judge the credentials of people who contact them? Do your employees know that they should never be giving out usernames and passwords to anyone, for any reason, ever?

It's worth keeping in mind whether you are auditing an existing system or planning for a new one, if you can't make the investment in your people there is no point in investing in expensive hardware or software. At the end of the day if a system fails because people don't understand it, or understand what is important then the system might as well not exist in the first place.

Tags

links  security  thinking  weak 

Categories

Security 

Comments

silky - Jul 11th 2008 8:54 PM
 
I must say, in my opinion educating users is not the answer to security problems. It'll never work. (it never does). The system needs to be designed to accomodate idiots. mho.

Max - Jul 14th 2008 8:55 PM
 
I totally disagree with the above and I find that kind of shortsighted thinking to be one of the problems in this field to be honest with you.

If you read the second paragraph above I specifically noted that users are a part of your security system in fact they are part of _every_ security system. If you just go with, "The users are stupid", you have failed before you started.