#4 End Users
It just got real. Real real.
End Users. Many of us security professionals, early in our education, develop a narrow picture of end users. We hear proclamations that humans are the weakest link in the security chain, and I think that’s unfair.
If humans weren’t around, we wouldn’t have a job! That makes humans strong, in my opinion. They help me pay the bills! Don’t let us cyber folks get you down too much—we're a jaded bunch. And when I say "we," I mean me. And not so much jaded as looping in the sentiments of:
End Users, to me, now represent water. And water will find the cracks. Water will put any system under pressure. You either have integrity, or you don’t. You are either resilient, or you aren’t. Water can also support some massive weight. Entire enterprises rely on the workforce’s ability to keep the business buoyant and afloat. People are the backbone and value creators of nearly every organization.
That said, people be crazy.
But, but why did you do that?
It’s fascinating how often people detach from reality and create a world where a stranger needs 10 gift cards—and they respond by driving around town like Santa Claus, depositing them into the scammers’ stockings.
Scammers and external threats prey on tactics that exploit workforce tendencies. Often, users receive only cursory training designed to meet compliance checkboxes. But ongoing training and awareness are far more effective. I strongly advocate continuous phishing campaigns—if users face phishing attempts once a month, it keeps their skills sharp in identifying malicious intent.
Compliance, InfoSec, and the business can also do a better job of outlining proper procedures for financial requests. If a user isn’t in a role that involves financial decisions, they should immediately delete, report, or forward such requests to the InfoSec team.
Sometimes, critical guidance like this is missing—or buried in hour three of a six-hour compliance marathon. It’s lost between employees splitting screens, trying to keep both their training progress and real work moving (not recommended).
I always vote for incentivizing and gamifying reporting/detection activities. The workforce should feel encouraged to err on the side of caution when dealing with suspicious emails. Recognizing and even rewarding department performance can help keep the click rate below 5%.
Should you have to do this? Well, handling humans on human terms tends to work better than expecting strict adherence to dry, forgettable policy documentation. Especially when that documentation is buried within 50 other policies—and those are just the ones for InfoSec and compliance.
Admin Rights? Yeah Right
Just... (sigh) Don't
Weak Passwords
Ah, another thing that can be controlled at the technical level (hint* hint). Like Administrator rights, strong password requirements can and should be enforced through appropriate safeguards and system configurations.
Where technical controls aren't available, administrative directives and training programs are essential to encourage users to step up their password strength. Although newer authentication mechanisms may replace passwords, these old reliables are likely to stick around in many organizations for years to come.
Guidance on complex passphrases is often minimal, and users tend to reuse passwords across accounts—for work, social media, even banking—because it’s easy to remember. And people love easy. If we can make secure practices easier for them, everybody wins. While password management tools introduce their own risks, they reduce the attack surface, making it easier to monitor and log password-related activity. That’s still preferable to hoping hundreds of employees are consistently following best practices across dozens of systems.
This is where multi-factor authentication (MFA) and single sign-on (SSO) become critical. Conditional access, device authentication, and short session durations (preferably under 18 hours) can further minimize risk. Without these, you’ll always have users defaulting to something like Winter2024ismypassword! and humming along as if they’re listening to the latest Taylor Swift album.
If you allow users to create weak passwords, they will create weak passwords. If you allow them to reuse passwords everywhere, they’ll do just that. And if you allow them to enter their credentials into every phishing site pretending to be your O365 portal, they’ll gladly oblige.
Users are like water—if you don’t want to get wet, you better seal the cracks.
Insider Threats
So, insider threats… Fun, right? In some ways, they simplify things because you know the threat is specifically internal. Unfortunately, that doesn’t make them less dangerous.
Some individuals join your organization with malicious intent from day one. Others evolve into threats over time, fueled by grievances, real or perceived, and a desire to “set things right”.
The principle of least privilege is essential in mitigating insider threats. By limiting employees' access to only what their roles justify, you reduce the impact of potential insider attacks. If someone with a narrow scope of access turns malicious, they can only affect a small slice of your systems—ideally, a slice you’ve already accounted for and documented based on their role.
User and entity behavior analytics (UEBA) are invaluable for spotting suspicious behavior early. These systems detect patterns, raising alerts when a user exhibits unusual actions—whether they’re hoarding data to exfiltrate or trying to access restricted systems they have no business touching.
An effective insider threat program creates a structured framework with clear tools, criteria, and procedures, enabling swift action when suspicious activity is detected.
The Wrap – End Users – Beautiful Chaos
At the end of the day, users are both the lifeblood of your organization and the wildcards that can keep security folks up at night. They’re the reason you have a job, and also the reason you sometimes wonder if it’s worth it. People are complex. They create value, push businesses forward, and innovate in ways no automated system ever could—but they also click on phishing links, reuse passwords, and occasionally sprint across town with gift cards for imaginary CEOs.
The truth is, end users aren’t going to stop being human. They’ll find cracks in every policy, workaround for every system, and an excuse for every weird decision they make (“Well, it seemed legit!”). Your job isn’t to change that; it’s to work with it. Treat them like water—guide their flow, seal the cracks, and reinforce the structures that keep things afloat. Don’t drown them in dry policies or 6-hour compliance marathons—find ways to engage them, gamify tasks, and make security feel like part of their daily rhythm, not a chore.
Here’s the reality: people aren’t going anywhere—and thank goodness for that. It’s our job as security professionals to meet them where they are, build resilience into every level of the organization, and make sure that when things do go wrong (and they will), we’re ready to bounce back. Users will surprise you—sometimes with brilliance, sometimes with chaos. But with the right approach, you can shape that chaos into something sustainable. Because if you manage the human element right, they’ll not only stop being a threat—they just might become your greatest defense.
Leave A Reply