Users are the security problem: DSD

Robert Campbell, Assistant Secretary in the Information Security Group of the Defence Signals Directorate, told the Government Technology World conference in Canberra yesterday that user behaviour is a powerful factor in network security.

Uneducated users are a major source of vulnerability because the majority of attacks require a user to activate a corrupt attachment.

"Most Trojans require people to double-click and unfortunately we have created an environment where people are happy to double-click," Campbell said.

But educated users can provide IT managers with early warning of an attack.

"When they see something they think they shouldn't see, when they see an e-mail they didn't send, they can actually be one of our greater allies in terms of protection of the information that we have a charter to protect".

He said user education was a necessary part of an overall approach from IT security professionals to mitigate risk rather than seeking to eliminate it by denying available functionality to staff or clients.

"It's not about turning to people and saying 'You cannot do this' because, if you say that, IT security will lose," he said.

"It's about working with the client community to work out how we deliver the requirement".

He said there was also a need for IT managers to overcome complacency about the robustness of standard operating environments rather than relying mainly on firewalls and other perimeter protections.

"It can be difficult to get through a firewall, but once people are on the inside it's generally soft and gooey and people can get a lot of information".