There’s enough blame to go around

I don’t trust my smart phone.

Although I’ve been writing on IT for almost 20 years and know mobile devices are better at security than they were even three years ago, I don’t do financial transactions on my handset, don’t open email attachments, have few applications and those I download come from a reputable source. The fact is, though, I work from an office and don’t rely on my smart phone for business most days.

But that makes me an oddball in a world where people increasingly need their handset for work. So what does it mean that despite regular news reports on phishing and the awareness training many organizations make available to staff that employees still click on what ought to be a suspicious link?

A columnist raised the question this week while dissecting a Reddit list of IT anecdotes of idiotic things employees say and do. Don’t be so sanctimonious, he warned: Infosec pros aren’t perfect. It’s an old saw that people are the biggest weak point in cyber security. But that doesn’t mean infosec pros should be let off the hook.

For every employee who forgets a password, clicks on a bad link, sends data to a risky cloud service, downloads a risky application or spills a beer on a laptop there’s an IT staffer who has misconfigured a server, decided against two-factor authentication, ignored an alert (or failed to find a way to winnow down alerts) failed to segment a network and taken too long to patch a device.

One problem, the writer suggests, is that IT doesn’t understand that employees have a wide range of computer knowledge — some know a lot, others don’t know the difference between an operating system and a browser. It’s up to IT to know that.

“To a large extent,” write the columnist, “security awareness is about giving users common knowledge, so they can exercise common sense. When a user makes a security-related mistake, it is frequently because security professionals assumed that the users know things they do not. While there are exceptions, if there is a failing, the security team did not provide proper training, if they provided training at all.”

His proof: Investigating a successful phishing attack he asked why the victims didn’t check the link in the email message to verify it was legitimate — as they’d been trained. Apparently they weren’t trained on how to do it on a mobile device.

Read the full article here

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now