My Photo
Blog powered by Typepad

Don’t Blame the User (And Don’t Count on Them Either)


By Deb Radcliff

Security naiveté among employees was a top reason for the growth in ransomware in 2020, according to 43% of more than 1200 IT decisions makers to take the Mimecast State of Email Security.

The negative term, ‘naïve’ used to describe the users bothers me. Blaming the users has been a peeve of mine since the mid-90’s, which is the main reason I became a cybercrime reporter back in 1996.

These ‘average Joe’ users were getting royally fleeced back then, and I regularly raised the issue to IT pros and white hats. They told me over and over that, ‘If the average user can’t stand the heat, he shouldn’t be on net.’ (Mind you, these are the same pros who can’t say for sure whether their business networks they’re charged with protecting are bullet proof...)

Sheep to the Slaughter

Users can’t be expected to detect threats on their computers that are increasingly disguised as work-related communications, just as they can’t be expected to work from home and provide their own security to protect their employers. It’s important to note also that 60% of respondents acknowledge that the attacks aimed at their employees are increasing in sophistication.

Once I read the report, I pinged Mimecast with my strong opinions and asked a few questions, starting with blaming the user.

“While IT security professionals know that employees shouldn’t be held responsible for the full scope of security, they do expect that employees practice habits such as strong passwords or an awareness of how impersonation of a CEO can happen,” says Jeremy Ventura, Senior Security Engineer at Mimecast.

And that’s another peeve: passwords suck.

Even with password managers and vaults, managing complex, system-issued passwords is nearly impossible across our many computers, pads, phones, Siri’s, security systems, tv’s and entertainment devices, etc. Until security is as ubiquitous as seatbelts as easy as checking the oil indicator gauge in a car dash, average users will be incapable of protecting the front line in email-based attacks.

Trust No One

This speaks not only to zero trust security models (trust nobody, not even authorized users), but also to precious user data that organizations are wasting—data that would help them protect the business environment from their own users. According to the Mimecast report:

  • 55% of employers are not using employee data and reports to tune their security to user behaviors
  • 45% don’t take feedback from employees
  • 33% aren’t using metrics

Since they aren’t taking employee feedback or using their behavior data, it’s hard to believe that the majority of respondents utilizes metrics in a useful way.

Most Common Payload: Ransomware

With a 64% increase in email-based threats detected in the Mimecast threat center, the report also reveals that employees who work from home are being directly targeted, Ventura continues. And the payloads are most often in the form of ransomware, which has, in recent months, become more diabolical.

In the Mimecast survey, 34% of companies were unable to recover their data after paying ransoms. Does that mean the decrypt keys didn’t come through or that, with ransomware now also exfiltrating data, that the data wasn’t returned? Ventura says it’s a combination both “failing to recover their data, and also because their data was already exfiltrated to the dark web.”

“Once the hacker sees that the organization is willing to pay, instead of releasing the decryption key, the hacker will come back requesting a larger amount in hopes that the organization will pay again,” he continues. “In addition, double extortion has spiked in the last several months where hackers will charge one ransom for the decryption key and then another ransom not to sell the encrypted data.”

There we have it. Workers at home exposed to increasingly sophisticated attack methods are not equipped to hold the front line against ransomware gangs and other cyber attackers. And still, the consensus is that the end users just need more training.

“Reinforcing best practices and awareness will hopefully drive the 43% [of naïve users selected as the top security risk] to a lower number in 2021,” Ventura continues. However, he adds, “Security must lead by example and then end users should follow.”