For example, when I was called in to investigate a successful phishing attack, I asked users why they didn’t check the link in the email message to verify it was legitimate, as it was clearly not. They responded that they used their mobile device to view the email, and nobody told them how to verify links on an iPhone. That was a clear failing of the awareness program.
For security professionals, we tend to know things because we have been exposed to proper security behaviors throughout our careers. However, users do not have the same life experience, and without proper awareness programs, assuming users know better means that you personally do not.
So, if you are like Bromium’s survey participants and believe that users are your biggest headache, take some aspirin and look in the mirror.
Sign up for CIO Asia eNewsletters.