Is the user the weakest link in security? When examining breaches, we can almost always point to users practicing poor security — how can we change this? Partner Now Request Infomation Put simply, most people believe that the weakest link in the security supply chain is the user. This attitude has become so widely accepted that it’s almost set in stone. It is justified by the inherent unpredictability of humans; the knowledge that a security hole in any application or codebase is fully discoverable and fixable; and the difference between ‘machine’ error and human error. Human error is inherently random; a lapse in attention or judgement can occur at any time, often with seemingly no context to prompt it. We never really question the idea that the user is the weakest link, but is it fair to stigmatize the user and consign them so unambiguously to being their own worst enemy? We ought to examine whether this consensus is truly justified. How users fail security When users have their data compromised, it’s usually as a direct result of a failure or misstep on their own part. While a determined hacker targeting an individual will eventually be able to overcome any security precaution, most of us will never be so specifically targeted. Maintaining basic security hygiene and awareness would be enough for us to protect ourselves against almost all general online hazards. And yet, we continually find that loss of security, compromised accounts or stolen credentials can be traced back to a failure on the user’s part. Password apathy Good password hygiene remains one of the hardest practices to instill in users. Our passwords form the gateway to our online accounts and potentially all our most sensitive data; no matter how secure a website may be against direct hacking attempts, if users allow their passwords to be broken or stolen it allows hackers free access to any data stored on that site. However, many users have poor password security, despite knowing the risks and the knowledge of how to improve their passwords. In 2019, SplashData estimated that about 10% of users used at least one of that year’s weakest 25 passwords. This might not be much of an issue on its own; not all our online accounts store especially sensitive personal data, and some breaches might hold very little of value for a hacker. This assumes, though, that the user has different passwords for each account they use online and that hackers wouldn’t be able to breach other, more sensitive accounts with the same login credentials. Ten percent doesn’t seem like a lot, but this is just the tip of the iceberg. Again in 2019, Microsoft revealed that 44 million users of various Microsoft service accounts were using vulnerable passwords that matched with a list of already-breached credentials circulating on the dark web. A survey from LastPass the previous year revealed widespread password re-use, with nearly 60% of users using the same password on multiple sites, even though 90% of respondents understood the security risks of password re-use. The same survey revealed that over 50% of users had gone longer than a year without updating their password. This does seem a damning indictment on users, with so many understanding the risks of lax password security but continuing to use old, already breached, or weak passwords. This is despite it being easier than ever to maintain good password security thanks to services like Avast Passwords, part of Avast Antivirus, which can generate and manage complex, secure passwords across multiple accounts, eliminating the problems of password re-use, memorization and weak passwords all in one package. There is also Avast Hack Check, which can tell you within moments whether you’re using a breached password that should be changed to keep you secure. Gullibility Users are also consistently taken in by the simplest, most preventable attack there is: Phishing. There is a wealth of information on what phishing is and how to avoid it, including the entry in Avast Academy and a discussion on the Anatomy of a Phish. Even though the success rate for phishing attacks continues to go down each year, enough users still fall victim to make them worthwhile, with phishing accounting for 22% of all data breaches in 2019. According to Verizon’s 2020 Data Breach Investigation Report (DBIR), 96% of phishing attacks are delivered via email, while the login credentials, PII, internal business data, medical information and financial credentials are the most targeted forms of data. We also see a lot of interplay between phishing and malware. Negligence and malware As users, we also allow malware to be more of a problem than it needs to be. Phishing campaigns extensively employ emotional manipulation and psychological techniques, so falling for one can be excused as a human lapse. In 2017, it was found that less than half of Windows users had any form of antivirus installed. The situation is even worse among smartphone users, with only 39% having any form of mobile antivirus installed. Even as the built-in security for our devices improves, we continue to leave ourselves at risk by failing to keep our software updated. The 2019 Avast PC Trends Report found that even Windows 10, which has automatic updates built in, is out of date for 8% of users. These statistics get worse with more specific programs; 15% of Microsoft Office 2007 and 2010 users have vulnerable versions of the software installed. When we examine software in general, we find that 55% of all programs are left unpatched, while Adobe Shockwave, VLC Media Player, Skype, Java Runtime, 7-Zip and Foxit Reader are out of date and vulnerable for over 90% of users. How security fails users Users could clearly be doing a lot more to keep themselves safe, but does this automatically make them the weakest link in security? We can simply say that users lack vigilance and leave it at that, but without careful examination of why users leave themselves so vulnerable, we do not have … Read more
