This is counterintuitive and controversial. So often, we hear that users are the weakest link. While this may sometimes be true, a root cause analysis (RCA) would show that cybersecurity professionals and educators are at fault. As both a practitioner and educator in this space, I will admit that we are also the weakest link. Why?
Too often, in cybersecurity, we explain the rules but not the why behind them. This is not new and has been ongoing for years. Ask people how long passwords should be, and the majority will say 8 characters long. If you ask them why 8 characters, they probably can’t explain that it is due to a 1980s Microsoft hashing vulnerability, and that with modern cryptanalysis, 8-character passwords are really too weak. This is not limited to passwords. The same is true for public Wi-Fi, instant messaging, personal email accounts, all variations of shadow IT, multi-factor authentication (MFA), and now AI.
In 2024, a Disney employee was hacked and subsequently terminated after downloading a freeware AI image generation tool that was a Trojan horse. The employee used a password manager, which is a good practice when using MFA. However, he was not using MFA and, worse, used the password manager as MFA for his other accounts. Once they broke the password manager, they had access to all of his personal and work accounts. We can say that he was the weakest link, but is that totally realistic? Did Disney do their part in education on the proper way to use password managers and MFA? To be clear, you should never store MFA keys in a system or trust devices because it saves a step. Get into the habit of receiving an SMS code or using an authenticator for every system you use today.
However, this case is more than just about MFA. It highlights that if you don’t provide solutions for your users, they will be creative and find their own workarounds. It could be shadow IT solutions or bypassing security. We need to do a better job of explaining to our users why MFA solutions are beneficial (especially with authenticators). A better job means using examples that are easy to understand and explain to others. If we explain how MFA works using an example of a car’s automatic transmission, it will be lost on most people because they have no idea how an automatic transmission works beyond the letters on the dashboard. Explain how MFA works and why it is important in their terms. Bypassing MFA by storing values is like leaving your car running with the keys in the ignition and the windows open. Everyone can picture this example and how easy it
would be to walk up and steal the car.
Secure password vaults are only beneficial if they are protected with MFA and strong passwords. Since new GenAI tools are released daily, we especially need to explain what AI tools can and cannot be used, along with the why and why not. If we say 'no AI at all' without explaining why, users will still find their own solutions. If we explain the why, users can be the first line of defense and not the weakest link. The question is simple: What have you done today to explain the why?
