THE CATHOLIC UNIVERSITY OF

EASTERN AFRICA
KIMUTAI PAVIN KIPTOO

1036621
USER; THE WEAKEST LINK IN ANY NETWORK INSTALLATION
ABSTRACT
Most people believe that the weakest link in the security chain is the user. You can have the most
sophisticated computer security in the world and it won’t always protect you. Everything you rely
on to keep your confidential data secure can be accidentally undone by one user—in a matter of
seconds. That’s because hackers, more and more, are attacking the weakest link in your cyber
security—your end users.

Most companies have security protocols in case of an outside attack but what they don’t often
realize is that the largest threat is usually from within. Almost every security breach reported is
pinned on human error – a fact that suggests the employees are the ones mostly at fault. This is, in
part, due to the organizational culture and lack of a proactive approach towards cyber security.
The User is the weakest link in any network security installation
People often represent the weakest link in the security chain and are chronically responsible for the
failure of security systems. Consider information security as a chain. Chains consist of more than
one link. This chain is intended to be protecting the assets, information, and finances of some
organizations. Apart from the human factor, this chain comprises technical, physical, or similar
synthetic links.

Organizations invest heavily in beefing up their cyber security which includes VPNs, encryption,
anti-virus software, scanning, and whatnot. But the question is: how much are they investing in their
people? An annual cyber security conference has proven to be mostly ineffectual, and bombarding
people with information at a time they are feeling overwhelmed is also not recommended.

When users have their data compromised, it’s usually as a direct result of a failure or misstep on
their own part. While a determined hacker targeting an individual will eventually be able to
overcome any security precaution, most of us will never be so specifically targeted. Maintaining
basic security hygiene and awareness would be enough for us to protect ourselves against almost all
general online hazards. And yet, we continually find that loss of security, compromised accounts or
stolen credentials can be traced back to a failure on the user’s part.

Hackers do not have infinite resources and time at their disposal. They want to direct their energies
toward areas where they are likely to enjoy the easiest and fastest yield on their efforts. The attacker
will make a beeline for the path of least resistance. No matter how secure your network may be, it's
only as secure as its weakest link. Cyber attackers use highly sophisticated methods of targeting
front-line employees and even CEOs. Information is available publicly – for example, LinkedIn and
even the company website contain details like email addresses, work history, connections,
education, etc. – which makes it easier for attackers to make personalized attacks. They can use the
employees as touch-points to exploit sensitive company data and if an employee is not sufficiently
educated in cyber security, they can fall victim to such spear-phishing. Identifying a cyber attack is
much harder than avoiding one in the first place. That is why 95% of security breaches are blamed
on human error, proving people to be the weakest link in cyber security. Even though the success
rate for phishing attacks continues to go down each year, enough users still fall victim to make them
worthwhile.
According to a report by HelpNet Security, 43% of employees have made errors resulting in cyber
security repercussions for their organizations. It also says the top reason for being tricked by a
phishing scam for 47% of employees listed is a distraction. When asked about what types of
mistakes they have made, one-quarter of employees confessed to clicking on links in a phishing
emails at work. 47% of employees cited distraction as a top reason for falling for phishing emails
This was closely followed by the fact that the email looked legitimate (43%), with 41% saying the
phishing email looked like it came from a senior executive or a well-known brand. In addition to
clicking on a malicious link, 58% of employees admitted to sending a work email to the wrong
person, with 17% of those emails going to the wrong external party. This simple error leads to
serious consequences for both the individual and the company, who must report the incident to
regulators as well as their customers. In fact, one-fifth of respondents said their company had lost
customers as a result of sending a misdirected email, while 12% of employees lost their job.

As users, we also allow malware to be more of a problem than it needs to be. Phishing campaigns
extensively employ emotional manipulation and psychological techniques, so falling for one can be
excused as a human lapse. Recently, it was found that less than half of Windows users had any form
of antivirus installed. The situation is even worse among smartphone users, with only 39% having
any form of mobile antivirus installed. This means that even as the built-in security for our devices
improves, we continue to leave ourselves at risk by failing to keep our software updated.

User authentication in today’s security landscape has one critical underlying flaw: a password, even
with MFA enabled, does not prove the user’s identity. All that is proven by our current methods of
authentication is that the person logging in has access to the user’s password and any relevant MFA
device. Anyone with access to these has access to the user’s account and all information stored on it
with no checks or barriers. We already have the technology to replace passwords, but new systems
and products continue to employ passwords for authentication, and frequently allow for relatively
weak password security. In most cases, MFA is not mandatory and password complexity
requirements are lax. This leaves our accounts with a lack of inherent security and places the
responsibility on the user to make up for any intrinsic security holes. Yet authentication processes
never provide any incentive or strong requirement for us to compensate for their weaknesses.

Users could clearly be doing a lot more to keep themselves safe, but does this automatically make
them the weakest link in security? It's important to note that poor security puts organizations as well
as their partners, at risk. As a result, many enterprises and organizations, such as credit-card
companies, now specify and require minimum levels of security you must have in order to do
business with them. Organizations need to come up with new ways to increase security awareness
in their employees. In this digital age, employees assume that the company will have ample
measures in place to protect itself. They don’t realize the dangers of clicking on rogue links and
opening unverified attachments – actions which can play a significant role in a security breach.

While technology can filter out most attacks, it can not eliminate every threat. Employees represent
the last line of defense and they should be educated on cyber security, how to deal with potential
threats, and how to report them. For this reason, leaders of an organization have the challenge of
presenting this information in a way that is easy to understand and retain, because making good
cyber security decisions is the last thing on an already overwhelmed employee’s mind.

So what can you do? Here are some ways to minimize the risks that users can pose to the security of
a system:

• Password-protect your computers and mobile devices--particularly laptops. One basic

step toward defending data is to require a password to launch a PC. It's not bullet-proof, but
it's a start, and it's a particularly important first defense for portable computers.
• Ideally, create a password that contains a mixture of characters and numbers and can't be
easily identified with the primary user of a computer. For instance, the password 'sam2001'
on a computer belonging to an employee named Sam born in 2001 would be easily guessed.
Instead, it's better to create a complex password mixing numerals and lower-case and
capitalized letters, something that means something to you so you can remember it.
Example: 'mas@==!' would be a better password for Sam. For the best protection,
passwords should be changed every three months. Users shouldn't share the passwords they
create with anyone (administrators can still log onto a password-protected PC to perform
diagnostics, system administration and other tasks). Another option is to use two-factor
authentication.

• Don't store passwords in unprotected areas. The more complex a password is, the easier it
is to forget and you may want to record it somewhere. But don't store your passwords in,
say, a basic Word or Excel file or on a sticky note on your monitor. Instead, there are
inexpensive software programs available that let you manage and secure multiple passwords.

• Considering laptops with bio-metric security. If you're in the market for a new laptop,
consider one that comes equipped with a bio-metric fingerprint scanner. The scanner reads
 fingerprints and only allows access to files on the computer to a user with an authorized
fingerprint.

• Encrypt confidential files. Another way to protect sensitive data is to encrypt the files
containing that data. Encryption scrambles data so that only an authorized user can access it.
You can encrypt files using built-in tools, though some third-party applications offer more--
and sometimes stronger--encryption tools.

• Whenever possible, don't carry confidential data on a portable device or removable

media. For maximum security, keep sensitive data off laptops, PDAs, BlackBerrys and other
portable devices. This is because if the device is lost or stolen, so is the sensitive data the
device contains. If you must physically transport sensitive data, consider storing it only on
an encypted flash-memory USB drive. Store the drive in your pocket and not in the laptop
bag, so that you'll still have it if the laptop is stolen or lost.

• Lock your laptop when traveling. Like bicycle locks, laptop security cables allow you to
physically secure your portable computer to a post or other stationary object. Most current
laptops have a standardized security slot, into which you insert a locking device, which in
turn is attached to the cable. For example, if you're leaving a laptop in a hotel room that
doesn't have a safe, you could insert the locking device into the portable PC's security slot,
then wrap the cable around the narrow base of the bathroom sink. Portable laptop alarms are
also available that emit a loud sound when your laptop is moved, which is helpful when
waiting for the plane or other crowded area.

• Stay up to date. Keeping apprised of new tools and technologies can help you continue to
bolster the security of your systems data. For instance, new software utilities allow you to
remotely erase all data on a lost or stolen smartphone just by sending a text message to the
phone. And in recent months, new laptop hard drives have become available that
automatically encrypt all data.

• Be vigilant. Above all, users must stay on guard to protect sensitive data. To help keep
everyone on their toes, post signs above shared printers and fax machines, reminding users
not to leave sensitive documents lying around. Place paper shredders near recycling bins or
other common areas and encourage employees to use them.

• Create and enforce a security plan. Last, but not least: Your business should have a
detailed, written security plan for employees that includes specific policies and procedures--
including many (if not all) of the steps listed above. If security procedures aren't in writing,
 it's far too easy for employees to use the "I didn't know" defense. And a security plan only
works if it's enforced and kept up-to-date.

• Installing anti-malware. Malware exploits flaws, whether these are flaws in an OS, flaws
in software or flaws in the hardware design of a device. We can say that lack of malware
prevention is entirely the user’s responsibility when malware infections could be equally
reduced by elimination of bugs and vulnerabilities in the products and processes we use.
Conclusion
User error is clearly the catalyst for most breaches. When we examine where along the supply chain
a breach happened, we can almost always point to the user practicing poor security, making a
blunder or being deceived by a scam or some form of social engineering attack. Through this lens, it
seems obvious that users are the weakest link in the supply chain and the most prominent security
issue.

If you are going to have a secure design for your IT infrastructure, then identifying and defending
your weakest link is essential. Addressing the weakest link means you avoid a strategy similar to
erecting a gate and expecting an attacker to run straight for it while there are no walls around the
gate to limit their access.

With a focus on the weakest link, you expend your time and energy on the risks that matter most.
Only after you have secured your weak points can you have some reasonable comfort your systems
are protected from attack.

The only effective defense against cyber attacks is education and awareness among users. Making
this education available can only go so far; even companies with mandatory security training report
users taking risks they already know they shouldn’t. Anywhere from 60% to 74% of employees
report flouting their company’s security policy in some way. All it takes is a personal lapse, rather
than a fundamental lack of intelligence or awareness, to fall for such attacks.
Reference
• Secrets and Lies: Digital Security in a Networked World by Bruce Schneier.
• Tessian report - https://www.helpnetsecurity.com/2020/07/23/human-error-cybersecurity/
•