The one security flaw we can’t fix – our own stupidity

If you have been following the Sony hack story you certainly heard that the cyber-attack was most likely the result of malware or directed phishing attacks. Same was true for the celebrity selfie hack a month or so ago. Somehow the hackers managed to convince the victims to give away their account numbers and passwords.

In the Sony case it may have started with a single employee, but once the hackers gained access to that one account it was as if someone left the back door to the toy store wide open and the criminals were free to wander through the Sony networks at will. According to the reports, once the hackers were in they didn’t have too much trouble finding all sorts of valuable information including names, addresses, phone numbers, social security numbers, salaries and passwords. In fact, there was a locked file on the network but located in the same directory was a file called ‘passwords’ and you can guess what that contained.

The same hack revealed that many Sony employees were using simple to guess passwords, but it sure makes things easier if they just give them away.

These hacks and many others show that there is one security flaw that we simply can’t fix and that is the fact that users are gullible, lazy and in many cases simply stupid (and as comedian Ron White said in one of his standup routines “you can’t fix stupid.”)

Unfortunately I don’t think there is anything we can do about this security weakness. It doesn’t matter how many memos get sent out or how many training seminars you make your employees sit through, people are just too lazy to change their passwords on a regular basis, people will fall for phishing schemes and people will do stupid things like putting all the company passwords in a file called ‘passwords’ – there’s simply nothing you can do about it. That’s just the way we are. And the odds are that even if your company has security training seminars, members of your management team are ‘too busy’ to attend (and have passwords like ‘god123’ or ‘bigbossman’).

Now I also believe that most companies out there have little or no network security in place to keep the traditional hackers out. The fact that companies still fall prey to SQL injection attacks and buffer overflow attacks and brute force attacks (well documented, easily fixed security holes that simply should not exist anymore) and the fact that there are hundreds if not thousands of networks still using the default settings proves that IT managers and programmers are not doing their jobs.

Management, in many cases, is also loath to spend money to fix these problems or extra money upfront to avoid these problems in the first place. Security is seen as an expense that does not contribute toward the bottom line and with the pressures to keep expenses low in order to maximize profits there is little incentive to spend money on security.

But even if companies did the safe and sane thing by making sure their networks are secure against outside attacks there is nothing they can do about their employees clicking on the wrong link or downloading the wrong file or taking the easy way out or simply being stupid.

It doesn’t matter how tight your security is or how strong your encryption might be, if even one employee leaves the back door open all the security in the world won’t help. Once the hackers gain access through that one hole your company networks are no longer secure, and the other networks that your company connects to are no longer secure and so on and so on.

Like I said before, I don’t think there is anything we can do about this problem – it’s just human nature to make mistakes.

And if you think just because you read stories on technology websites that makes you more cyber-aware than the next person then consider this. What if this site was just a front for a general, non-specific phishing attack? Simply clicking on this article from the main page means it is already too late. You have already been hacked.

(Not really, but you get the point.)