Users remain the weakest link in the IT security chain

It’s a favourite refrain in every IT helpdesk: “Our jobs would be so much easier if it weren’t for all those pesky users.”

In a week when the IT security world gathered in San Francisco for the 2010 RSA conference, that was probably also a familiar cry around the cavernous halls of the exhibition centre.

While the experts pondered in California, Spanish police were arresting three men alleged to be the operators of the Mariposa bot-net network, with nearly 13 million zombie PCs under control and personal details of 800,000 people. The suspects had no criminal record and apparently were not particularly technically proficient – yet still they amassed one of the biggest bot-nets in existence.

How? The Spanish report the clever software, and the use of instant messaging and peer-to-peer (P2P) sites to distribute the viruses. But inevitably, that network would have been significantly smaller were it not for those pesky users.

“Even the most elegant technological solution will ultimately fail unless it has the support of talented professionals and a public that understands how to stay safe online,” US secretary of homeland security Janet Napolitano told delegates at RSA last week. Even the US government is worried about the weakest link in its cyber security chain – its citizens.

Closer to home, last month saw the first Human Factors in Information Security conference in London, at which experts lined up to stress the importance of education, awareness and training in tackling IT security threats.

But none of this is new. As long as there has been an information security problem there has been the mantra that you have to educate users. Yet here we are, still saying the same things.

There is only so far technology can go. If someone decides, against all advice, to click on that funny attachment, or through to that strange web site, or to download from that new P2P site, then IT security professionals can do little but grind their teeth in frustration. Security needs to be demystified for it to become second nature.