I don’t trust my smart phone.
Although I’ve been writing on IT for almost 20 years and know mobile devices are better at security than they were even three years ago, I don’t do financial transactions on my handset, don’t open email attachments, have few applications and those I download come from a reputable source. The fact is, though, I work from an office and don’t rely on my smart phone for business most days.
But that makes me an oddball in a world where people increasingly need their handset for work. So what does it mean that despite regular news reports on phishing and the awareness training many organizations make available to staff that employees still click on what ought to be a suspicious link?
A columnist raised the question this week while dissecting a Reddit list of IT anecdotes of idiotic things employees say and do. Don’t be so sanctimonious, he warned: Infosec pros aren’t perfect. It’s an old saw that people are the biggest weak point in cyber security. But that doesn’t mean infosec pros should be let off the hook.
For every employee who forgets a password, clicks on a bad link, sends data to a risky cloud service, downloads a risky application or spills a beer on a laptop there’s an IT staffer who has misconfigured a server, decided against two-factor authentication, ignored an alert (or failed to find a way to winnow down alerts) failed to segment a network and taken too long to patch a device.
One problem, the writer suggests, is that IT doesn’t understand that employees have a wide range of computer knowledge — some know a lot, others don’t know the difference between an operating system and a browser. It’s up to IT to know that.
“To a large extent,” write the columnist, “security awareness is about giving users common knowledge, so they can exercise common sense. When a user makes a security-related mistake, it is frequently because security professionals assumed that the users know things they do not. While there are exceptions, if there is a failing, the security team did not provide proper training, if they provided training at all.”
His proof: Investigating a successful phishing attack he asked why the victims didn’t check the link in the email message to verify it was legitimate — as they’d been trained. Apparently they weren’t trained on how to do it on a mobile device.