Why end users should not be defending organisations

Email is ubiquitous, and that leads some to assume that it’s safe. Nothing could be further from the truth. While the average end-user might be savvy enough to avoid unsophisticated scams, it remains, by default, a completely insecure communication channel.

User training is user blaming

Among cyber criminals, email remains something of a favourite attack vector. Phishing and spear-phishing attacks target users, with varying degrees of specificity.

Maybe the criminal receives an ‘out of office’ message from a finance director and knows they’re on holiday, giving them the perfect excuse to target a busy treasury department with money transfer requests. Maybe they collect information from social media profiles, which they then use to impersonate decision makers.

>See also: Data classification: central to every organisation’s security strategy

Email can be dangerous in numerous ways, and the problems it causes cannot be prevented solely by conditioning users to be cautious. The belief that education is the key to preventing cyber attacks has a certain logic to it: supposedly, by training employees, you eliminate any unintentional insider threat. But this unfortunately puts the onus for IT security on people who aren’t meant to be accountable for it.

User training is user blaming, nonetheless, businesses, government departments and other organisations continue to place the burden of responsibility for security on people who are utterly unqualified to bear it.

Email attacks are a problem that even well-seasoned IT security experts struggle to keep pace with. Domain impersonation and reply redirection are techniques that require a user to identify very small differences in a message or message chain. Something as sophisticated as the malicious application of Punycode – a special form of encoding – is extremely difficult to visibly detect.

>See also: Is user generated content fuelling data fatigue?

To put it bluntly and without malice: end-users don’t stand a chance. They can’t be ‘careful’ when a phishing or malware attack is near-indistinguishable from a typical email message. They can’t be trained to keep up with the latest attack vectors. One small mistake – and experts and end-users alike are capable of them – can allow a criminal to overtake an entire system.

End user involvement

Security departments should minimise end user involvement from the equation. Solutions should be put in place to detect and quarantine threats long before they ever reach a user or email server.

Advances in artificial intelligence and machine learning mean key attack techniques can be quickly identified and neutralised and malicious email simply shouldn’t be able to enter an organisation.

>See also: Why email is the weakest security link – and how to fix it

The best thing an end user can learn is a degree of cynicism – this at least will help them better trust their emails. But they shouldn’t be relied upon in any way to protect a company’s electronic assets – they are not the first or last line of defence.

If they’re being used as such then they will ultimately compromise the organisation they work for. Simply put, they’re there to use the system, not protect it. IT departments should ensure that they can do so – without having to worry about security threats.


Sourced by Nick Yarham, customer engagement manager, Corvid – a provider of managed cyber security services


The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering hereSet featured image

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...