A couple of years back there was a TV show from the BBC (source of a lot of good shows) called The Weakest Link. In that show contestants worked as a team to answer questions to win money. If the team failed, no money and eventually the team would determine the weakest member. This person would be sent off with the “you are the weakest link, goodbye” in the most proper of British accents.
How can the “weakest link” affect your organization?
I started thinking about this show recently as I was reading up on a number of high profile IT failures that have happened in 2017. In May, British Airways experienced a massive system failure that caused all flights to be cancelled from their two major hubs at Heathrow and Gatwick airports in London. Initial reports were of a “power surge” that created a cascading effect of failures. The cause of the “power surge”? A maintenance worker incorrectly turned off a power supply on a critical system. Once that system was turned back on, it created the surge which in turn created a series of other failures. Whoops.
Amazon Web Services (AWS) had an outage back in February of this year that was also caused by human error. In this case a typo in a single command caused AWS to experience a large outage for their East Coast based systems. If you’re thinking that wasn’t a big deal, realize that AWS hosts a large share of popular Internet cloud services such as Quora and Slack. So the impact of this outage was widespread – again all of because of human error.
So much of time we spend our time in IT security worrying about what can happen. What bad person out there is going to try and do something to us? The reality is, our issue lies here….
…our own people.
Prevention
Your organization is much more likely (2:1) to have an IT security incident caused by an internal user rather than by someone from the outside. Whether it is intentional (less likely) or accidental (way more likely), the impact of IT security incidents remains the same. IT security incidents are expensive, time consuming events that we should seek to avoid.
The challenge is that no amount of technology will 100% prevent Milton from falling victim to things such as ransomware, CEO email compromise and other common threats. Our approach needs to be a combination of end user education along with strong security related technologies. The more we can arm our end users with education, the better chance we all have of not being the weakest link.